@pob/root
root package
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@pob/pretty-pkg | AI (dependencies): Same @pob org package, consistent with this monorepo's internal dependency pattern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require resolves a hardcoded 'prettier' module path, not user-controlled input. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): Scoped @pob/ package with 2281 days history; Levenshtein match to 'got' is a false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is used to pass environment to execSync subprocess — standard pattern, not exfiltration. | ai | |
| phantom-deps | phantom-dep:conventional-commits-parser | AI (phantom-deps): Used indirectly via config; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-writer | AI (phantom-deps): Used indirectly via config; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:pob-dependencies | AI (phantom-deps): Referenced in config files as documented; stable false positive for this tooling package. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 24.1.0 | 13 / 0 | |
| 24.0.0 | 13 / 0 | |
| 23.2.0 | 13 / 0 | |
| 23.1.0 | 13 / 0 | |
| 23.0.0 | 13 / 0 | |
| 22.4.0 | 13 / 0 | |
| 22.3.0 | 13 / 0 | |
| 22.2.0 | 13 / 0 | |
| 22.1.0 | 13 / 0 | |
| 22.0.0 | 13 / 0 | |
| 21.0.0 | 13 / 0 | |
| 20.4.2 | 14 / 0 | |
| 20.4.1 | 14 / 0 | |
| 20.3.0 | 14 / 0 | |
| 20.2.2 | 14 / 0 | |
| 20.2.1 | 14 / 0 | |
| 20.2.0 | 14 / 0 | |
| 20.1.0 | 14 / 0 | |
| 20.0.3 | 14 / 0 | |
| 20.0.2 | 14 / 0 | |
| 20.0.0 | 14 / 0 | |
| 19.8.0 | 17 / 0 |
v24.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/christophehurpeau/pob/blob/a0b7eb5e5ba475f0b138ff590765112319adf5e5/bin/postinstall/update-yarn.js#L43 41 | execSync("yarn install", { 42 | stdio: "inherit", > 43 | env: { 44 | ...process.env, 45 | PATH: paths.join(":"),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v23.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v23.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v22.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v19.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.