launch-editor — Greenflagged

launch editor from node.js

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

yyx990803sodasapphi-red

Keywords

editorlaunch

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate transition for vitejs org.	ai	2026/05/30
publish-pattern	dormant-publish	AI (publish-pattern): Stable utility with infrequent updates; dormancy is normal for this package.	ai	2026/05/30
semgrep	semgrep:child-process-exec	AI (semgrep): Intentional editor-launch exec call; stable for this package.	ai	2026/05/18
—	semgrep:child-process-spawn	—	sean	2026/05/18
—	semgrep:child-process-import	—	sean	2026/05/18

Versions (showing 8 of 8)

Version	Deps	Published
2.14.0	2 / 0	2026-05-29
2.13.2	2 / 0	2026-03-21
2.13.1	2 / 0	2026-02-25
2.13.0	2 / 0	2026-02-18
2.12.0	2 / 0	2025-10-28
2.11.1	2 / 0	2025-08-07
2.11.0	2 / 0	2025-07-28
2.6.1	2 / 0	2023-10-07

v2.14.0

2 findings

HIGH Publisher changed: soda → GitHub Actions (on 2026-05-29) provenance

This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.