shelljs
Portable Unix shell commands for Node.js
5
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
arturnfischerfreitagbr
Keywords
shelljsbashunixshellmakefilemakejakesynchronous
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads shelljs's own bundled command modules from a fixed subdirectory — not user-controlled input. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rechoir | AI (phantom-deps): rechoir is used by shelljs's make/plugin system for transpiler support; indirect usage pattern is intentional and documented. | ai | |
| phantom-deps | phantom-dep:interpret | AI (phantom-deps): interpret is used alongside rechoir in shelljs's make/plugin system; indirect usage is intentional. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): shelljs is a shell utility library; child_process usage is core to its documented functionality and expected across all versions. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): shelljs wraps child_process.exec() as its primary feature; this is expected and documented behavior across all versions. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.10.0 | 2 / 12 | |
| 0.9.2 | 4 / 12 | |
| 0.9.1 | 4 / 12 | |
| 0.9.0 | 4 / 12 | |
| 0.8.5 | 3 / 12 |
v0.9.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.