@netlify/config
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Build config tool intentionally merges process.env for build environment handling; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@netlify/api | AI (dependencies): First-party Netlify scoped package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@netlify/headers-parser | AI (dependencies): First-party Netlify scoped package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@netlify/redirect-parser | AI (dependencies): First-party Netlify scoped package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:figures | AI (dependencies): Well-known Unicode symbols utility; no risk signal. | ai | |
| dependencies | unvetted-dep:tomlify-j0.4 | AI (dependencies): TOML serialization utility; stable dependency for this package. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 24.6.0 | 25 / 7 | |
| 24.5.1 | 25 / 7 | |
| 24.5.0 | 25 / 7 | |
| 24.4.4 | 25 / 7 | |
| 24.4.3 | 25 / 7 | |
| 24.4.2 | 25 / 7 | |
| 24.4.1 | 25 / 7 | |
| 24.4.0 | 25 / 7 | |
| 24.3.1 | 25 / 7 | |
| 24.3.0 | 25 / 7 | |
| 24.2.1 | 25 / 7 | |
| 24.2.0 | 25 / 7 | |
| 24.1.2 | 25 / 7 | |
| 24.1.1 | 25 / 7 | |
| 24.1.0 | 25 / 7 | |
| 24.0.9 | 25 / 7 | |
| 24.0.8 | 25 / 7 | |
| 24.0.7 | 25 / 7 | |
| 24.0.6 | 25 / 7 | |
| 24.0.5 | 25 / 7 | |
| 24.0.4 | 25 / 7 | |
| 24.0.3 | 25 / 7 | |
| 24.0.2 | 25 / 7 | |
| 24.0.1 | 25 / 7 | |
| 24.0.0 | 25 / 7 |
v24.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.5.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/netlify/build/blob/c77982ba1d1886e81f1a517318fcf93123f2a260/lib/options/main.js#L28 26 | }; 27 | const getDefaultOpts = function ({ env: envOpt = {}, cwd: cwdOpt, defaultConfig = {} }) { > 28 | const combinedEnv = { ...process.env, ...envOpt }; 29 | return { 30 | defaultConfig,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.