rollup-plugin-inject — Greenflagged

Scan modules for global variables and inject `import` statements where necessary

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

btdguybedfordlukastaegertrich_harris

Keywords

rolluprollup-plugines2015npmmodules

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:shx	AI (dependencies): shx is a well-known cross-platform shell utility used only in build scripts (prebuild: shx rm -rf dist). It is not imported in runtime code; its presence as a runtime dep is a packaging oversight, not a security risk.	ai	2026/04/22
phantom-deps	phantom-dep:shx	AI (phantom-deps): shx is referenced only in npm scripts for build purposes, not imported in source code. This is expected behavior for a build utility.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; absence is expected for this age cohort and not a risk signal.	ai	2026/04/21
dependencies	unvetted-dep:rollup-pluginutils	AI (dependencies): rollup-pluginutils is a legitimate Rollup ecosystem package maintained by the same team; stable dependency for this package.	ai	2026/04/21