beachball
The Sunniest Semantic Version Bumper
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:p-graph | AI (dependencies): p-graph is a legitimate task-graph library used intentionally by beachball for parallel publishing; stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): Established Microsoft package; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into execa options for npm CLI calls is standard and intentional for this package. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 2.65.5 | 10 / 13 | |
| 2.65.4 | 10 / 13 | |
| 2.65.1 | 10 / 13 | |
| 2.64.3 | 10 / 27 | |
| 2.64.2 | 10 / 27 | |
| 2.64.0 | 10 / 27 | |
| 2.63.1 | 10 / 28 | |
| 2.63.0 | 10 / 28 | |
| 2.62.0 | 11 / 29 | |
| 2.61.0 | 11 / 29 | |
| 2.60.1 | 11 / 23 | |
| 2.60.0 | 11 / 23 | |
| 2.58.0 | 11 / 23 | |
| 2.56.0 | 12 / 24 | |
| 2.55.1 | 12 / 24 | |
| 2.55.0 | 12 / 24 |
v2.65.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.65.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.65.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/beachball/blob/7e77057a6bd93a4d9d8e4ab62e3dc886c1f9e713/lib/packageManager/getNpmPackageInfo.js#L36 34 | cwd: options.path, 35 | all: true, > 36 | env: { ...process.env, ...(0, npmArgs_1.getNpmAuthEnv)(options) }, 37 | }); 38 | if (showResult.success && showResult.stdout !== '') {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.64.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.64.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.64.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.63.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.63.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.62.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.61.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.60.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.60.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.58.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.56.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.55.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.55.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.