ts-checker-rspack-plugin
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Standard pattern for spawning worker processes that inherit parent env; core functionality of this type-checker plugin. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is required to run TypeScript type checking in a separate worker process; core functionality. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load the user-configured TypeScript installation path in a worker — a standard and expected pattern for a TypeScript checker plugin. Not a security risk. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.3.1 | 4 / 17 | |
| 1.3.0 | 4 / 16 | |
| 1.2.6 | 7 / 13 | |
| 1.2.5 | 7 / 13 | |
| 1.2.4 | 7 / 13 | |
| 1.2.3 | 7 / 13 | |
| 1.2.2 | 7 / 19 | |
| 1.2.1 | 7 / 19 | |
| 1.2.0 | 7 / 19 | |
| 1.1.7 | 7 / 19 | |
| 1.1.6 | 7 / 19 | |
| 1.1.4 | 7 / 19 | |
| 1.1.3 | 7 / 19 | |
| 1.1.2 | 7 / 19 |
v1.3.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/rspack-contrib/ts-checker-rspack-plugin/blob/5ba6fe08d0223a6192f6bf8e1b371da5859956ef/lib/index.js#L439 437 | function createRpcWorker(modulePath, data, memoryLimit) { 438 | const options = { > 439 | env: { 440 | ...external_process_namespaceObject.env, 441 | [WORKER_DATA_ENV_KEY]: JSON.stringify(data || {})
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/rspack-contrib/ts-checker-rspack-plugin/blob/e2994e23d5a466738afbd9e4417eb88ce3de2288/lib/index.js#L438 436 | function createRpcWorker(modulePath, data, memoryLimit) { 437 | const options = { > 438 | env: { 439 | ...external_process_namespaceObject.env, 440 | [WORKER_DATA_ENV_KEY]: JSON.stringify(data || {})
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/rspack-contrib/ts-checker-rspack-plugin/blob/f6e5ec3f1fc81cea247fd72d04e0933c63f1ca23/lib/index.js#L438 436 | function createRpcWorker(modulePath, data, memoryLimit) { 437 | const options = { > 438 | env: { 439 | ...external_process_namespaceObject.env, 440 | [WORKER_DATA_ENV_KEY]: JSON.stringify(data || {})
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.7
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/rspack-contrib/ts-checker-rspack-plugin/blob/d7e5515023ad8e3c58dca5a5cf05688b1469d7b3/lib/rpc/rpc-worker.js#L33 31 | function createRpcWorker(modulePath, data, memoryLimit) { 32 | const options = { > 33 | env: { 34 | ...process.env, 35 | [WORKER_DATA_ENV_KEY]: JSON.stringify(data || {}),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.6
2 findingsThis version was published by a different npm account than previous versions on 2025-10-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.