@lhci/cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Intentional: passes env to Lighthouse child process with CHROME_PATH override; expected for a CI runner. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Core functionality of a CI tool that spawns Lighthouse and other processes. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawns Lighthouse CLI as a child process — fundamental to the tool's purpose. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads optional puppeteer from CWD node_modules; documented optional dependency pattern. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only LHCI_-prefixed env vars for config; safe and intentional. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @lhci/cli is the official Lighthouse CI package under GoogleChrome org; no relation to joi. | ai |
v0.15.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/GoogleChrome/lighthouse-ci/blob/76a49c7cc26cfc6dcff4248e1f170efb845245bb/src/collect/node-runner.js#L96 94 | let stderr = ''; 95 | > 96 | const env = {...process.env, CHROME_PATH: options.chromePath || process.env.CHROME_PATH}; 97 | const {args, cleanupFn} = LighthouseRunner.computeArgumentsAndCleanup(url, options); 98 | const child = childProcess.spawn('node', [LH_CLI_PATH, ...args], {env});
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.