@novu/framework ISC 7 versions

@novu/framework

npm Repository

The Code-First Notifications Workflow SDK.

7

Versions

ISC

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

scopsyletitrockhimanshu-novuchmarax

Keywords

novucode-firstworkflowsdurablesdknotificationsemailsmspushwebhooksnextnuxth3express

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/cjs/jsx-dev-runtime.cjs	AI (source-diff): Standard minified bundler output (esbuild/tsup); content is readable UI component logic, not obfuscated malware.	ai	2026/06/03
source-diff	obfuscated-file:dist/cjs/jsx-runtime.cjs	AI (source-diff): Standard minified bundler output; same pattern as jsx-dev-runtime.cjs, stable for this package.	ai	2026/06/03

Versions (showing 7 of 7)

Version	Deps	Published
2.11.0	11 / 22	2026-06-02
2.10.0	10 / 22	2026-03-27
2.9.0	10 / 22	2025-12-02
2.8.0	10 / 22	2025-11-12
2.7.1	9 / 22	2025-09-16
2.7.0	9 / 22	2025-09-16
2.6.7	9 / 23	2025-05-21

v2.11.0

4 findings

HIGH New obfuscated file: dist/cjs/jsx-dev-runtime.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/cjs/jsx-runtime.cjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: chmarax → scopsy (on 2026-06-02, known maintainer) provenance

This version was published by a different npm account (scopsy) than the most recent previously approved version (chmarax) on 2026-06-02, but scopsy is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v2.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.