@nomicfoundation/hardhat-utils

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Keywords

ethereumsmart-contractshardhat

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns process.execPath (Node.js itself) detached — standard Hardhat pattern for background worker subprocesses, not a reverse shell or miner.	ai	2026/04/26
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same subprocess.ts spawn call as silent-process-exec; legitimate background Node.js worker pattern for Hardhat tooling.	ai	2026/04/26
semgrep	semgrep:hex-decode	AI (semgrep): Standard Buffer.from hex decoding in an Ethereum utility library; hex manipulation is core to the package's purpose.	ai	2026/04/26

Versions (showing 13 of 13)

Version	Deps	Published
4.1.3	7 / 10	2026-05-26
4.1.2	7 / 10	2026-05-20
4.1.1	7 / 10	2026-05-07
4.1.0	7 / 10	2026-04-30
4.0.5	8 / 11	2026-04-27
4.0.4	8 / 11	2026-04-22
4.0.3	8 / 11	2026-04-16
4.0.2	8 / 11	2026-03-31
4.0.1	8 / 11	2026-03-11
4.0.0	8 / 11	2026-02-25
3.0.6	8 / 11	2026-01-19
3.0.5	8 / 11	2025-11-04
3.0.4	8 / 11	2025-10-30

v4.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.4

3 findings

HIGH silent-process-exec: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

HIGH silent-process-exec-var: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

3 findings

HIGH silent-process-exec: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

HIGH silent-process-exec-var: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

3 findings

HIGH silent-process-exec: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

HIGH silent-process-exec-var: src/subprocess.ts:39 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 37 | } 38 | > 39 | const subprocess = spawn(process.execPath, subprocessArgs, { 40 | detached: true, 41 | env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.