spawn-sync
Exports child_process.spawnSync
10
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benglforbeslindesayleobaltersatazor
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Package is 4484 days old with 19 versions; 0.0.0 reflects an old versioning convention by a reputable publisher, not a malware indicator. | ai | |
| dependencies | unvetted-dep:execSync | AI (dependencies): execSync is an optional dependency used as a native optimization; fallback to child_process is safe. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall is a standard build step for this polyfill; stable for this package. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): child_process.exec() is core to spawn-sync's polyfill functionality; expected and necessary. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is a well-known minimal shim by a reputable author; tiny payload and no deps are expected for this utility. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process import is the core functionality of this spawn-sync polyfill; fallback pattern is documented and legitimate. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.0.0 | 0 / 0 | |
| 1.0.14 | 2 / 1 | |
| 1.0.10 | 2 / 1 | |
| 1.0.8 | 2 / 1 | |
| 1.0.3 | 3 / 0 | |
| 1.0.2 | 3 / 0 | |
| 1.0.1 | 3 / 0 | |
| 1.0.0 | 2 / 0 | |
| 0.0.2 | 2 / 0 | |
| 0.0.0 | 0 / 1 |
v1.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.