turbo
Turborepo is a high-performance build system for JavaScript and TypeScript codebases.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:turbo-linux-mips64le | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-linux-32 | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-linux-arm | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-freebsd-64 | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-windows-32 | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-freebsd-arm64 | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| phantom-deps | phantom-dep:turbo-linux-ppc64le | AI (phantom-deps): Platform-specific optional binary dependency — standard cross-platform binary distribution pattern for turbo. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): turbo's postinstall runs install.js to select and install the correct platform-specific binary — standard documented pattern for cross-platform binary distribution, stable across versions. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): process.env spread is used to sanitize npm_config_global to prevent install deadlock — defensive pattern, not credential exfiltration. Confirmed in public Vercel/turborepo source. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used to run nested npm install for platform binary selection — expected and documented behavior for turbo's binary installer. | ai | |
| phantom-deps | phantom-dep:turbo-darwin-64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai | |
| phantom-deps | phantom-dep:turbo-windows-64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai | |
| phantom-deps | phantom-dep:turbo-linux-arm64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai | |
| phantom-deps | phantom-dep:turbo-darwin-arm64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai | |
| phantom-deps | phantom-dep:turbo-windows-arm64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai | |
| phantom-deps | phantom-dep:turbo-linux-64 | AI (phantom-deps): Platform-specific optional binary dependency; standard pattern for cross-platform CLI tools. | ai |
Versions (showing 100 of 485)
| Version | Deps | Published |
|---|---|---|
| 1.12.3 | 6 / 0 | |
| 1.12.2 | 6 / 0 | |
| 1.12.1 | 6 / 0 | |
| 1.12.0 | 6 / 0 | |
| 1.11.3 | 6 / 0 | |
| 1.11.2 | 6 / 0 | |
| 1.11.1 | 6 / 0 | |
| 1.11.0 | 6 / 0 | |
| 1.10.16 | 6 / 0 | |
| 1.10.15 | 6 / 0 | |
| 1.10.14 | 6 / 0 | |
| 1.10.13 | 6 / 0 | |
| 1.9.9 | 6 / 0 | |
| 1.5.4 | 6 / 0 | |
| 1.5.3 | 6 / 0 | |
| 1.2.16 | 13 / 0 | |
| 1.2.14 | 13 / 0 | |
| 1.2.13 | 13 / 0 | |
| 1.2.11 | 13 / 0 | |
| 1.2.9 | 13 / 0 | |
| 1.2.7 | 13 / 0 | |
| 1.1.5 | 12 / 0 | |
| 1.1.4 | 12 / 0 | |
| 1.1.0 | 12 / 0 | |
| 1.0.29 | 12 / 0 | |
| 1.0.25 | 12 / 0 | |
| 1.0.24 | 12 / 0 | |
| 1.0.22 | 12 / 0 | |
| 1.0.21 | 12 / 0 | |
| 1.0.18 | 0 / 0 | |
| 1.0.17 | 0 / 0 | |
| 1.0.12 | 1 / 0 | |
| 1.0.9 | 1 / 0 | |
| 1.0.8 | 1 / 0 | |
| 1.0.6 | 1 / 0 | |
| 1.0.5 | 1 / 0 | |
| 1.0.1 | 1 / 0 | |
| 1.0.0 | 1 / 0 | |
| 0.8.5 | 3 / 0 | |
| 0.8.4 | 3 / 0 | |
| 0.8.3 | 3 / 0 | |
| 0.8.2 | 3 / 0 | |
| 0.8.0 | 3 / 0 | |
| 0.7.5 | 3 / 0 | |
| 0.7.4 | 3 / 0 | |
| 0.7.3 | 3 / 0 | |
| 0.7.2 | 3 / 0 | |
| 0.7.1 | 3 / 0 | |
| 0.7.0 | 3 / 0 | |
| 0.6.10 | 3 / 0 | |
| 0.6.9 | 3 / 0 | |
| 0.6.8 | 3 / 0 | |
| 0.6.7 | 3 / 0 | |
| 0.6.6 | 3 / 0 | |
| 0.6.5 | 3 / 0 | |
| 0.6.4 | 3 / 0 | |
| 0.6.3 | 3 / 0 | |
| 0.6.2 | 3 / 0 | |
| 0.6.1 | 3 / 0 | |
| 0.6.0 | 3 / 0 | |
| 0.5.12 | 2 / 0 | |
| 0.5.11 | 2 / 0 | |
| 0.5.10 | 2 / 0 | |
| 0.5.9 | 2 / 0 | |
| 0.5.8 | 2 / 0 | |
| 0.5.7 | 2 / 0 | |
| 0.5.6 | 2 / 0 | |
| 0.5.5 | 2 / 0 | |
| 0.5.4 | 2 / 0 | |
| 0.5.3 | 2 / 0 | |
| 0.5.2 | 2 / 0 | |
| 0.5.1 | 2 / 0 | |
| 0.5.0 | 2 / 0 | |
| 0.4.11 | 2 / 0 | |
| 0.4.10 | 1 / 0 | |
| 0.4.9 | 1 / 0 | |
| 0.4.8 | 1 / 0 | |
| 0.4.7 | 1 / 0 | |
| 0.4.6 | 1 / 0 | |
| 0.4.5 | 1 / 0 | |
| 0.4.4 | 1 / 0 | |
| 0.4.3 | 1 / 0 | |
| 0.4.2 | 1 / 0 | |
| 0.4.1 | 1 / 0 | |
| 0.3.18 | 1 / 0 | |
| 0.3.17 | 1 / 0 | |
| 0.3.15 | 1 / 0 | |
| 0.3.14 | 1 / 0 | |
| 0.3.13 | 1 / 0 | |
| 0.3.12 | 1 / 0 | |
| 0.3.11 | 1 / 0 | |
| 0.3.10 | 1 / 0 | |
| 0.3.9 | 1 / 0 | |
| 0.3.8 | 1 / 0 | |
| 0.3.7 | 1 / 0 | |
| 0.3.6 | 1 / 0 | |
| 0.3.5 | 1 / 0 | |
| 0.3.4 | 1 / 0 | |
| 0.3.0 | 0 / 0 | |
| 2.9.7-canary.9 | 0 / 0 |
v1.12.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.5
3 findingsScript: node install.js
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vercel/turborepo/blob/9886af2a2f2e1f537e5b575c0b7a5ddfcb30d0c1/install.js#L105 103 | // Otherwise this nested "npm install" will also be global, and the install 104 | // will deadlock waiting for the global installation lock. > 105 | const env = { ...process.env, npm_config_global: undefined }; 106 | 107 | // Create a temporary directory inside the "turbo" package with an empty
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
3 findingsScript: node install.js
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/vercel/turborepo/blob/2f62c3cfa358fbe4de52f084efdc065093676082/install.js#L202 200 | // Otherwise this nested "npm install" will also be global, and the install 201 | // will deadlock waiting for the global installation lock. > 202 | const env = { ...process.env, npm_config_global: undefined }; 203 | 204 | child_process.execSync(
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.