@prisma/engines — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

prismabotaqrln

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@prisma/engines-version	AI (dependencies): @prisma/engines-version is Prisma's own internal versioning package, pinned to a commit hash as part of their standard release process. Stable false positive for this package.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): Prisma migrated publishing from prismabot to GitHub Actions CI/CD with SLSA provenance attestation — a legitimate and improved supply chain practice for this package.	ai	2026/04/26
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual maintainers is consistent with Prisma centralizing releases through GitHub Actions CI/CD. SLSA provenance confirms legitimate automated publishing.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): Package has 7363 versions and is actively maintained; the gap reflects the diff being against an older approved version (v5.17.0), not actual dormancy.	ai	2026/04/26
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in postinstall.js is used to load Prisma's own download script conditionally; not arbitrary code loading, stable pattern for this package.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): Package is explicitly internal infrastructure for Prisma; sparse README and no keywords are expected and stable for this package.	ai	2026/04/25
install-scripts	install-script:postinstall	AI (install-scripts): @prisma/engines uses postinstall to download platform-specific engine binaries — a documented, long-standing pattern stable across all versions of this package.	ai	2026/04/25

Versions (showing 8 of 8)

Version	Deps	Published
7.8.0	4 / 6	2026-04-22
7.7.0	4 / 6	2026-04-07
7.6.0	4 / 6	2026-03-27
7.0.0	4 / 7	2025-11-19
6.19.3	4 / 7	2026-04-01
6.19.1	4 / 7	2025-12-10
6.19.0	4 / 7	2025-11-05
5.17.0	4 / 7	2024-07-16

v7.8.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.7.0

2 findings

HIGH Publisher changed: prismabot → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.0

2 findings

HIGH Publisher changed: prismabot → GitHub Actions (on 2026-03-27) provenance

This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: prismabot → GitHub Actions (on 2025-11-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.

v6.19.3

2 findings

HIGH Publisher changed: prismabot → GitHub Actions (on 2026-04-01) provenance

This version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.19.1

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: prismabot → GitHub Actions (on 2025-12-10) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.

v6.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.17.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.