← Home

vite-plugin-mkcert

npm Repository Homepage
4
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

liuweigl

Keywords

vite-plugincertificatehttpsmkcert

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Spreads process.env to pass CAROOT env var to mkcert subprocess — standard and intentional for this plugin. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP appears only in a JSDoc @example comment for the proxy option, not in executable code. ai
phantom-deps phantom-dep:supports-color AI (phantom-deps): supports-color is a declared runtime dep; may be used transitively or via debug — stable false positive for this package. ai

Versions (showing 4 of 4)

Version Deps Published
2.1.0 3 / 10
2.0.0 3 / 12
1.17.12 2 / 12
1.17.10 3 / 11

v2.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

2 findings
HIGH env-spread: plugin/src/mkcert/index.ts:218 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/liuweiGL/vite-plugin-mkcert/blob/0b2eeee1f6440b2d66332407eaea580fc61de270/plugin/src/mkcert/index.ts#L218 216 | 217 | await exec(cmd, { > 218 | env: { 219 | ...process.env, 220 | CAROOT: this.savePath,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.12

2 findings
HIGH env-spread: plugin/src/mkcert/index.ts:213 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/liuweiGL/vite-plugin-mkcert/blob/37d0955ad2a86e5c94343113fef020f9f64c2578/plugin/src/mkcert/index.ts#L213 211 | 212 | await exec(cmd, { > 213 | env: { 214 | ...process.env, 215 | CAROOT: this.savePath,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.10

2 findings
HIGH env-spread: plugin/mkcert/index.ts:213 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/liuweiGL/vite-plugin-mkcert/blob/d0bb1814711aa5fa66cba4c8748f8d8564ff6628/plugin/mkcert/index.ts#L213 211 | 212 | await exec(cmd, { > 213 | env: { 214 | ...process.env, 215 | CAROOT: this.savePath,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.