← Home

knex

npm Repository Homepage
11
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tgriesserwubzzelhigukibertoadolivier.cavadenti

Keywords

sqlquerypostgresqlpostgresmysqlcockroachdbsqlite3oraclemssqlbuilderquerybuilderbuilddbdatabase

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:child-process-import AI (semgrep): child_process usage is in scripts/build.js, a build-time script not executed at install or runtime. Standard for a complex build tool like knex. ai
semgrep semgrep:child-process-exec AI (semgrep): child_process.exec is in scripts/build.js for build orchestration only. Not reachable by consumers at runtime or install time. ai
semgrep semgrep:dynamic-require AI (semgrep): knex CLI uses dynamic require to load the project-local knex installation — a standard, documented pattern for CLI tools. Stable across all versions. ai
semgrep semgrep:hex-decode AI (semgrep): Buffer.from(uuid, 'hex') is a standard UUID-to-binary conversion for MySQL storage. Legitimate utility function, not obfuscation. ai
dependencies unvetted-dep:getopts AI (dependencies): getopts is a small, stable CLI argument parser that has been a long-standing dependency of knex. No security concerns. ai

Versions (showing 11 of 11)

Version Deps Published
3.2.10 14 / 44
3.2.9 14 / 44
3.2.8 14 / 44
3.2.7 14 / 45
3.2.6 14 / 45
3.2.5 14 / 45
3.2.4 14 / 44
3.2.3 14 / 44
3.2.2 14 / 44
3.2.1 14 / 43
3.2.0 14 / 42

v3.2.10

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: tgriesser → GitHub Actions (on 2026-05-02) provenance

This version was published by a different npm account than previous versions on 2026-05-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.