@actions/exec
Actions exec lib
9
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
chrispatbryanmacfarlanethboopkonradpabjancschleidenbdehamerjoshmgross
Keywords
githubactionsexec
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @actions/io is a sibling package from the same actions/toolkit monorepo; expected dependency for exec. | ai | |
| provenance | publisher-changed | AI (provenance): thboop is a known GitHub Actions team member; legitimate maintainer rotation within the actions/toolkit org. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): All added maintainers (thboop, konradpabjan, cschleiden, joshmgross) are known GitHub Actions team members. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers left the GitHub Actions team; normal organizational turnover. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; gitHead absence is a CI environment change, not a risk signal for this official GitHub Actions package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): @actions/exec is an exec utility library; spawning child processes is its core, documented purpose. This finding is a stable false positive for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process import is required for the library's exec functionality; already marked [Accepted risk] by the analyzer. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@actions/io | AI (dependencies): @actions/io is a sibling package from the official GitHub Actions toolkit monorepo — a well-known, legitimate dependency stable across all versions of this package. | ai |