rescript No license 7 versions

rescript

npm Repository Homepage

7

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

hongbo_zhangchenglouryyppycristianoccknittelfham_

Keywords

ReScriptCompilerTypesJavaScriptLanguage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation present; strong supply chain integrity signal for this package.	ai	2026/05/18
source-diff	source-size-dropped	AI (source-diff): Runtime code extracted into @rescript/runtime package; size drop is structural, not a stub replacement.	ai	2026/05/18
publish-pattern	dormant-publish	AI (publish-pattern): Major version gap (v11→v12) explains the dormancy; legitimate release cadence for a compiler toolchain.	ai	2026/05/18
provenance	publisher-changed	AI (provenance): Intentional migration to GitHub Actions CI publishing with SLSA provenance; matches official rescript-lang org repo.	ai	2026/05/18
semgrep	semgrep:child-process-import	AI (semgrep): child_process used solely to invoke bundled compiler binaries; stable pattern for this package.	ai	2026/05/08
install-scripts	install-script:postinstall	AI (install-scripts): Compiler toolchain; postinstall selects platform binary — stable pattern across all rescript versions.	ai	2026/05/08
npm-metadata	bundled-binaries	AI (npm-metadata): ReScript ships prebuilt compiler binaries per platform by design; not a backdoor indicator.	ai	2026/05/08
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawns the bundled rescript_exe compiler binary; expected for a compiler CLI wrapper.	ai	2026/05/08
semgrep	semgrep:env-spread	AI (semgrep): CLI launcher passing process.env to child_process.spawn is standard; no exfiltration risk.	ai	2026/05/08
phantom-deps	phantom-dep:@rescript/runtime	AI (phantom-deps): First-party sibling package; referenced in config/runtime context, not a phantom dep concern.	ai	2026/05/08

Versions (showing 7 of 7)

Version	Deps	Published
12.3.0	1 / 8	2026-05-19
12.2.0	1 / 8	2026-02-27
12.1.0	1 / 8	2026-01-13
12.0.2	1 / 8	2025-12-26
12.0.1	1 / 8	2025-12-09
12.0.0	1 / 8	2025-11-25
11.0.0	0 / 3	2024-01-10

v12.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.2.0

2 findings

HIGH env-spread: cli/rescript.js:22 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rescript-lang/rescript/blob/9929a147bd2de9e75b8145f7e43ef9de80886714/cli/rescript.js#L22 20 | const child = child_process.spawn(rescript_exe, args, { 21 | stdio: "inherit", > 22 | env: { ...process.env, RESCRIPT_RUNTIME: runtimePath }, 23 | }); 24 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.1.0

2 findings

HIGH Publisher changed: cknittel → GitHub Actions (on 2026-01-13) provenance

This version was published by a different npm account than previous versions on 2026-01-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.2

2 findings

HIGH Publisher changed: cknittel → GitHub Actions (on 2025-12-26) provenance

This version was published by a different npm account than previous versions on 2025-12-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.1

2 findings

HIGH Publisher changed: cknittel → GitHub Actions (on 2025-12-09) provenance

This version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.0

2 findings

HIGH Publisher changed: cknittel → GitHub Actions (on 2025-11-25) provenance

This version was published by a different npm account than previous versions on 2025-11-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.0

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/rescript_postinstall.js

HIGH Bundled binary files (20) npm-metadata

Package contains compiled binaries that could be backdoors: • darwin/bsb_helper.exe • darwinarm64/bsb_helper.exe • linux/bsb_helper.exe • linuxarm64/bsb_helper.exe • win32/bsb_helper.exe • darwin/bsc.exe • darwinarm64/bsc.exe • linux/bsc.exe • linuxarm64/bsc.exe • win32/bsc.exe ... and 10 more

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.