prisma
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/query_compiler_small_bg.mysql.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.cockroachdb.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.sqlserver.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.sqlite.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.sqlite.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.postgresql.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.mysql.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.cockroachdb.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.sqlserver.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.cockroachdb.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.mysql.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.postgresql.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.sqlite.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.postgresql.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.mysql.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.cockroachdb.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_fast_bg.sqlserver.js | AI (source-diff): wasm-bindgen generated JS glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.sqlserver.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.sqlite.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_small_bg.postgresql.mjs | AI (source-diff): wasm-bindgen generated ESM glue for WASM query compiler; minification is expected and benign. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.mysql.mjs | AI (source-diff): wasm-bindgen generated ESM glue code for WASM query compiler. Legitimate build artifact. | ai | |
| provenance | publisher-changed | AI (provenance): Prisma migrated from prismabot to GitHub Actions for automated publishing with SLSA provenance. This is a legitimate CI/CD transition, not a takeover. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.cockroachdb.js | AI (source-diff): wasm-bindgen generated JS glue code for WASM query compiler. __wbg_/__wbindgen_ naming is unmistakably wasm-bindgen output, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.mysql.js | AI (source-diff): wasm-bindgen generated JS glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.postgresql.js | AI (source-diff): wasm-bindgen generated JS glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.sqlite.js | AI (source-diff): wasm-bindgen generated JS glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.sqlserver.js | AI (source-diff): wasm-bindgen generated JS glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.cockroachdb.mjs | AI (source-diff): wasm-bindgen generated ESM glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.postgresql.mjs | AI (source-diff): wasm-bindgen generated ESM glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.sqlite.mjs | AI (source-diff): wasm-bindgen generated ESM glue code for WASM query compiler. Legitimate build artifact. | ai | |
| source-diff | obfuscated-file:build/query_compiler_bg.sqlserver.mjs | AI (source-diff): wasm-bindgen generated ESM glue code for WASM query compiler. Legitimate build artifact. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Gap is artifact of review system not approving v6.x series; Prisma has been actively maintained. Major version jump v5→v7 explains the diff distance. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in minified bundle is part of error message formatting, not dynamic code execution from external input. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding appears in bundled HTTP/multipart handling (undici internals); standard networking code, not a payload obfuscation concern. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Prisma reads environment variables (DATABASE_URL, etc.) as part of normal database connection configuration; not a data exfiltration risk. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning the Prisma query engine binary is the documented binary engine execution model; not a supply chain risk. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Prisma's binary runtime spawns the query engine binary as its core execution model; child_process usage is expected and legitimate. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in WASM query engine bindings is standard WASM interop pattern, not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to inspect generated package.json before cleanup — a legitimate safety check in the generator build. | ai | |
| dependencies | unvetted-dep:@prisma/studio-core | AI (dependencies): First-party Prisma monorepo sub-package for Prisma Studio; expected runtime dependency of the Prisma CLI. | ai | |
| dependencies | unvetted-dep:@prisma/config | AI (dependencies): First-party Prisma monorepo sub-package; expected runtime dependency of the Prisma CLI. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Prisma CLI's preinstall script performs Node.js version validation — a documented, stable pattern present across all Prisma CLI versions. Not a security risk. | ai | |
| dependencies | unvetted-dep:@prisma/engines | AI (dependencies): First-party Prisma monorepo sub-package; expected runtime dependency of the Prisma CLI. | ai | |
| phantom-deps | phantom-dep:@prisma/studio-core | AI (phantom-deps): First-party Prisma sub-package for Prisma Studio; dynamically loaded when Studio is invoked. | ai | |
| phantom-deps | phantom-dep:@prisma/engines | AI (phantom-deps): First-party Prisma sub-package; engines are loaded dynamically based on platform — expected behavior. | ai | |
| phantom-deps | phantom-dep:@prisma/dev | AI (phantom-deps): First-party Prisma sub-package; dynamic loading pattern is expected for this CLI tool. | ai | |
| phantom-deps | phantom-dep:postgres | AI (phantom-deps): postgres is a database driver dynamically loaded by Prisma CLI for PostgreSQL support; not directly imported at the top level by design. | ai | |
| phantom-deps | phantom-dep:mysql2 | AI (phantom-deps): mysql2 is a database driver dynamically loaded by Prisma CLI for MySQL support; not directly imported at the top level by design. | ai | |
| dependencies | unvetted-dep:@prisma/dev | AI (dependencies): First-party Prisma monorepo dev/utility sub-package; expected dependency of the Prisma CLI. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 7.8.0 | 6 / 61 | |
| 7.6.0 | 6 / 61 | |
| 7.5.0 | 6 / 59 | |
| 7.4.2 | 6 / 59 | |
| 7.4.1 | 6 / 59 | |
| 7.4.0 | 6 / 59 | |
| 7.2.0 | 6 / 59 | |
| 7.1.0 | 6 / 57 | |
| 7.0.1 | 6 / 57 | |
| 7.0.0 | 6 / 56 | |
| 5.17.0 | 1 / 44 |
v7.8.0
2 findingsScript: node scripts/preinstall-entry.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.6.0
23 findingsThis version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.5.0
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.2
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.1
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.0
21 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.0
12 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.1
12 findingsThis version was published by a different npm account than previous versions on 2025-11-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
v5.17.0
6 findingsScript: node scripts/preinstall-entry.js
Spreading entire process.env into an object — may capture all secrets 2 | `:10,t=typeof e=="string"?"\r":13;return e[e.length-1]===A&&(e=e.slice(0,e.length-1)),e[e.length-1]===t&&(e=e.slice(0,e. 3 | ${r.message}`:d,p=[I,A,e].filter(Boolean).join(` > 4 | `);return C?(r.originalMessage=r.message,r.message=p):r=new Error(p),r.shortMessage=I,r.command=s,r.escapedCommand=o,r.e 5 | `);let r;for(;(r=ES.exec(t))!=null;){let n=r[1],i=r[2]||"";i=i.trim();let s=i[0];i=i.replace(/^(['"`])([\s\S]*)\1$/mg,"$ 6 | `),i=i.replace(/\\r/g,"\r")),A[n]=i}return A}function pl(e){console.log(`[dotenv@${uS}][DEBUG] ${e}`)}function dS(e){ret
Spreading entire process.env into an object — may capture all secrets 165 | We recommend using the \`wtfnode\` package to debug open handles.`,{clientVersion:this.clientVersion});if(this.throwAs 166 | Please look into the logs or turn on the env var DEBUG=* to debug the constantly restarting query engine.`)}}throw thi > 167 | You may have to run ${rr("prisma generate")} for your changes to take effect.`,this.clientVersion)}else this.getCurrentB 168 | `+a)}}),rs(this.child.stdout).on("data",o=>{let a=String(o);try{let c=JSON.parse(a);if(tA("stdout",Yn(c)),this.engineSta 169 | `+c,this.clientVersion),a.retryable=!0):this.child?.signalCode?(a=new z(`Query engine process killed with signal ${this.
Spreading entire process.env into an object — may capture all secrets 171 | `+c,this.clientVersion),a.retryable=!0):a=new z(c,this.clientVersion),this.engineStartDeferred.reject(a)}this.child&&(th 172 | You very likely have the wrong "binaryTarget" defined in the schema.prisma file.`}}))}),this.child.on("error",o=>{this.s > 173 | ${t}`,j(r,!0));this.name="RequestError";this.code="P5010"}};L(yo,"RequestError");async function hn(e,A,t=r=>r){let r=A.c 174 | `),{clientVersion:A.clientVersion})}if(n)return new wo(A);if(o)return new go(A);throw new We("Invalid client engine type 175 | Note that ${s.bold("include")} statements only accept relation fields.`,o})}function ZJ(e,A,t){let r=A.arguments.getDeep
Spreading entire process.env into an object — may capture all secrets 110 | ${r}`,A(n,!0));this.name="RequestError";this.code="P5010"}};w(Pr,"RequestError");async function ut(e,t,r=n=>n){let n=t.c 111 | You may have to run ${Me("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return t}}pars > 112 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(t,{transaction:r,traceparent:n}){Ce("requ 113 | `),{clientVersion:t.clientVersion})}if(i)return new vr(t);if(s)return new Tr(t);throw new H("Invalid client engine type, 114 | Note that ${s.bold("include")} statements only accept relation fields.`,a})}function Rd(e,t,r){let n=t.arguments.getDeep
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.