← Home

nx

npm Repository Homepage
4
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jack-nrwlmeeroslavnrwlownernrwl-jasonjuristraltan-nrwljameshenryvsavkin

Keywords

MonorepoAngularReactWebNodeNestJestCypressCLITestingFront-endBackendMobile

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:base64-decode AI (semgrep): Parsing SLSA provenance DSSE envelope; expected base64 usage. ai
semgrep semgrep:dynamic-require AI (semgrep): CLI resolution of local workspace nx install; standard pattern. ai
semgrep semgrep:child-process-import AI (semgrep): Core functionality of a task orchestration CLI. ai
semgrep semgrep:child-process-execsync AI (semgrep): Used for platform detection (musl check); standard native-binding pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Webpack-bundled runtime graph module; standard build output. ai
semgrep semgrep:toplevel-fetch AI (semgrep): WASI browser binding fetching its own wasm file. ai
semgrep semgrep:http-module-request AI (semgrep): Nx Cloud integration API calls; documented feature. ai
semgrep semgrep:env-spread AI (semgrep): Task runner passes env to child processes; expected for a build orchestrator. ai
typosquat typosquat.levenshtein:next AI (typosquat): nx is a well-established brand; not a typosquat of next. ai
typosquat typosquat.levenshtein:nuxt AI (typosquat): nx is a well-established brand; not a typosquat of nuxt. ai
typosquat typosquat.levenshtein:knex AI (typosquat): nx is a well-established brand; not a typosquat of knex. ai
typosquat typosquat.levenshtein:pg AI (typosquat): nx is a well-established brand; not a typosquat of pg. ai
typosquat typosquat.levenshtein:qs AI (typosquat): nx is a well-established brand; not a typosquat of qs. ai
install-scripts install-script:postinstall AI (install-scripts): Silent try/catch requiring a local dist file; no network access or arbitrary code execution. ai

Versions (showing 4 of 4)

Version Deps Published
22.7.1 110 / 0
22.6.5 36 / 0
22.6.4 36 / 0
22.4.5 35 / 0

v22.7.1

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node -e "try{require('./dist/bin/post-install')}catch(e){}"

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.5

15 findings
HIGH env-spread: src/command-line/exec/exec.js:32 semgrep

Spreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,

HIGH env-spread: src/command-line/exec/exec.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,

HIGH env-spread: src/command-line/migrate/migrate.js:705 semgrep

Spreading entire process.env into an object — may capture all secrets 703 | await execAsync(`${pmc.add} ${packageName}@${packageVersion}`, { 704 | cwd: dir, > 705 | env: { 706 | ...process.env, 707 | npm_config_legacy_peer_deps: 'true',

HIGH env-spread: src/command-line/migrate/migrate.js:1122 semgrep

Spreading entire process.env into an object — may capture all secrets 1120 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1121 | stdio: ['inherit', 'inherit', 'inherit'], > 1122 | env: { 1123 | ...process.env, 1124 | NX_MIGRATE_SKIP_INSTALL: 'true',

HIGH env-spread: src/command-line/release/version.js:341 semgrep

Spreading entire process.env into an object — may capture all secrets 339 | console.log(preVersionCommand); 340 | } > 341 | let env = { 342 | ...process.env, 343 | };

HIGH env-spread: src/command-line/run/run.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,

HIGH env-spread: src/command-line/watch/watch.js:96 semgrep

Spreading entire process.env into an object — may capture all secrets 94 | shell: true, 95 | cwd: process.cwd(), > 96 | env: { 97 | ...process.env, 98 | [this.projectNameEnv]: env[this.projectNameEnv],

HIGH env-spread: src/daemon/client/client.js:949 semgrep

Spreading entire process.env into an object — may capture all secrets 947 | windowsHide: true, 948 | shell: false, > 949 | env: { 950 | ...DAEMON_ENV_OVERRIDABLE_SETTINGS, 951 | ...process.env,

HIGH env-spread: src/executors/run-commands/running-tasks.js:423 semgrep

Spreading entire process.env into an object — may capture all secrets 421 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 422 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 423 | localEnv = { 424 | ...process.env, 425 | ...localEnv,

HIGH env-spread: src/project-graph/plugins/isolation/isolated-plugin.js:327 semgrep

Spreading entire process.env into an object — may capture all secrets 325 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 326 | const workerPath = path.join(__dirname, 'plugin-worker'); > 327 | const env = { 328 | ...process.env, 329 | ...(isWorkerTypescript

HIGH env-spread: src/tasks-runner/task-env.js:15 semgrep

Spreading entire process.env into an object — may capture all secrets 13 | const task_env_paths_1 = require("./task-env-paths"); 14 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 15 | return { 16 | // User Process Env Variables override Dotenv Variables 17 | ...process.env,

HIGH env-spread: src/tasks-runner/task-env.js:24 semgrep

Spreading entire process.env into an object — may capture all secrets 22 | function getTaskSpecificEnv(task, graph) { 23 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 24 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 25 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 26 | ? loadDotEnvFilesForTask(task, graph, taskEnv)

HIGH env-spread: src/utils/git-utils.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,

HIGH env-spread: src/utils/package-json.js:240 semgrep

Spreading entire process.env into an object — may capture all secrets 238 | // Yarn Berry requires an environment variable (not a CLI flag) to disable lifecycle scripts. 239 | // Apply this defensively for all package managers when pulling nx@latest to tmp. > 240 | env: { 241 | ...process.env, 242 | YARN_ENABLE_SCRIPTS: 'false',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.4

14 findings
HIGH env-spread: src/command-line/exec/exec.js:32 semgrep

Spreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,

HIGH env-spread: src/command-line/exec/exec.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,

HIGH env-spread: src/command-line/migrate/migrate.js:705 semgrep

Spreading entire process.env into an object — may capture all secrets 703 | await execAsync(`${pmc.add} ${packageName}@${packageVersion}`, { 704 | cwd: dir, > 705 | env: { 706 | ...process.env, 707 | npm_config_legacy_peer_deps: 'true',

HIGH env-spread: src/command-line/migrate/migrate.js:1122 semgrep

Spreading entire process.env into an object — may capture all secrets 1120 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1121 | stdio: ['inherit', 'inherit', 'inherit'], > 1122 | env: { 1123 | ...process.env, 1124 | NX_MIGRATE_SKIP_INSTALL: 'true',

HIGH env-spread: src/command-line/release/version.js:341 semgrep

Spreading entire process.env into an object — may capture all secrets 339 | console.log(preVersionCommand); 340 | } > 341 | let env = { 342 | ...process.env, 343 | };

HIGH env-spread: src/command-line/run/run.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,

HIGH env-spread: src/command-line/watch/watch.js:96 semgrep

Spreading entire process.env into an object — may capture all secrets 94 | shell: true, 95 | cwd: process.cwd(), > 96 | env: { 97 | ...process.env, 98 | [this.projectNameEnv]: env[this.projectNameEnv],

HIGH env-spread: src/daemon/client/client.js:943 semgrep

Spreading entire process.env into an object — may capture all secrets 941 | windowsHide: true, 942 | shell: false, > 943 | env: { 944 | ...DAEMON_ENV_OVERRIDABLE_SETTINGS, 945 | ...process.env,

HIGH env-spread: src/executors/run-commands/running-tasks.js:423 semgrep

Spreading entire process.env into an object — may capture all secrets 421 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 422 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 423 | localEnv = { 424 | ...process.env, 425 | ...localEnv,

HIGH env-spread: src/project-graph/plugins/isolation/isolated-plugin.js:321 semgrep

Spreading entire process.env into an object — may capture all secrets 319 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 320 | const workerPath = path.join(__dirname, 'plugin-worker'); > 321 | const env = { 322 | ...process.env, 323 | ...(isWorkerTypescript

HIGH env-spread: src/tasks-runner/task-env.js:15 semgrep

Spreading entire process.env into an object — may capture all secrets 13 | const task_env_paths_1 = require("./task-env-paths"); 14 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 15 | return { 16 | // User Process Env Variables override Dotenv Variables 17 | ...process.env,

HIGH env-spread: src/tasks-runner/task-env.js:24 semgrep

Spreading entire process.env into an object — may capture all secrets 22 | function getTaskSpecificEnv(task, graph) { 23 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 24 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 25 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 26 | ? loadDotEnvFilesForTask(task, graph, taskEnv)

HIGH env-spread: src/utils/git-utils.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.5

14 findings
HIGH Package has 'postinstall' script install-scripts

Script: node ./bin/post-install || exit 0

HIGH env-spread: src/command-line/exec/exec.js:32 semgrep

Spreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,

HIGH env-spread: src/command-line/exec/exec.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,

HIGH env-spread: src/command-line/migrate/migrate.js:1113 semgrep

Spreading entire process.env into an object — may capture all secrets 1111 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1112 | stdio: ['inherit', 'inherit', 'inherit'], > 1113 | env: { 1114 | ...process.env, 1115 | NX_MIGRATE_SKIP_INSTALL: 'true',

HIGH env-spread: src/command-line/release/version.js:341 semgrep

Spreading entire process.env into an object — may capture all secrets 339 | console.log(preVersionCommand); 340 | } > 341 | let env = { 342 | ...process.env, 343 | };

HIGH env-spread: src/command-line/run/run.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,

HIGH env-spread: src/command-line/watch/watch.js:96 semgrep

Spreading entire process.env into an object — may capture all secrets 94 | shell: true, 95 | cwd: process.cwd(), > 96 | env: { 97 | ...process.env, 98 | [this.projectNameEnv]: env[this.projectNameEnv],

HIGH env-spread: src/daemon/client/client.js:921 semgrep

Spreading entire process.env into an object — may capture all secrets 919 | windowsHide: false, 920 | shell: false, > 921 | env: { 922 | ...process.env, 923 | ...DAEMON_ENV_SETTINGS,

HIGH env-spread: src/executors/run-commands/running-tasks.js:416 semgrep

Spreading entire process.env into an object — may capture all secrets 414 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 415 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 416 | localEnv = { 417 | ...process.env, 418 | ...localEnv,

HIGH env-spread: src/project-graph/plugins/isolation/plugin-pool.js:307 semgrep

Spreading entire process.env into an object — may capture all secrets 305 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 306 | const workerPath = path.join(__dirname, 'plugin-worker'); > 307 | const env = { 308 | ...process.env, 309 | ...(isWorkerTypescript

HIGH env-spread: src/tasks-runner/task-env.js:15 semgrep

Spreading entire process.env into an object — may capture all secrets 13 | const task_env_paths_1 = require("./task-env-paths"); 14 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 15 | return { 16 | // User Process Env Variables override Dotenv Variables 17 | ...process.env,

HIGH env-spread: src/tasks-runner/task-env.js:24 semgrep

Spreading entire process.env into an object — may capture all secrets 22 | function getTaskSpecificEnv(task, graph) { 23 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 24 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 25 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 26 | ? loadDotEnvFilesForTask(task, graph, taskEnv)

HIGH env-spread: src/utils/git-utils.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.