← Home

pm2

npm Repository Homepage
2
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tknew

Keywords

clifault tolerantsysadmintoolspm2logslogjsonexpresshapikrakenreloadload balancerlbload-balancerkubernetesk8spm2-dockerruntimesource mapsgracefulmicroserviceprogrammaticharmonynode-pm2productionkeymetricsnode.js monitoringstrong-pmdeploydeploymentdaemonsupervisorsupervisordnodemonpm2.ioghostghost productionmonitoringkeymetricsprocess managerforeverprofilingprobesapmcontainerforever-monitorkeep process aliveprocess configurationclusteringcluster cliclusterdockercrondevopsdev ops

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Process manager reads /etc/passwd to resolve user info for managed processes; standard Unix pattern. ai
semgrep semgrep:child-process-spawn AI (semgrep): Core functionality of a process manager; spawns managed Node.js processes. ai
semgrep semgrep:child-process-import AI (semgrep): pm2 is a process manager that legitimately spawns and manages child processes; child_process usage is core to its functionality. ai
semgrep semgrep:child-process-exec AI (semgrep): pm2 legitimately executes shell commands as part of process management and deployment features. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decode in Serve.js is standard HTTP Basic Auth parsing, not a malicious payload. ai
typosquat typosquat.levenshtein:pg AI (typosquat): pm2 is a well-established, widely-known package name (4700+ days old, 290 versions); not a typosquat of pg. ai
semgrep semgrep:env-bulk-read AI (semgrep): pm2 legitimately reads process.env to display environment diffs in its describe/inspect UI. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of package.json in NPM.js is standard tooling behavior for reading project metadata. ai

Versions (showing 2 of 2)

Version Deps Published
7.0.1 22 / 3
7.0.0 22 / 3

v7.0.1

2 findings
HIGH etc-passwd-access: lib/tools/passwd.js:5 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/Unitech/pm2/blob/ba62cae9b9b7116ee758b70f538919a52515fa26/lib/tools/passwd.js#L5 3 | 4 | var getUsers = function() { > 5 | return fs.readFileSync('/etc/passwd') 6 | .toString() 7 | .split('\n')

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v7.0.0

2 findings
HIGH etc-passwd-access: lib/tools/passwd.js:5 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/Unitech/pm2/blob/24adf55ccf3e928ca1cfe72676fe8bfa94589b99/lib/tools/passwd.js#L5 3 | 4 | var getUsers = function() { > 5 | return fs.readFileSync('/etc/passwd') 6 | .toString() 7 | .split('\n')

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.