typeorm — Greenflagged

Data-Mapper ORM for TypeScript and ES2021+. Supports MySQL/MariaDB, PostgreSQL, MS SQL Server, Oracle, SAP HANA, SQLite, MongoDB databases.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

michaelbromleypleerock

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): TypeORM CLI uses process.env spread to forward environment to child processes (spawnSync). This is standard CLI behavior, not secret exfiltration.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is used to load user-specified ORM config files (ormconfig.json etc.) — core documented TypeORM functionality.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): TypeORM ships CLI binaries that legitimately use child_process to spawn ts-node subprocesses. Expected for a CLI tool.	ai	2026/04/23

Versions (showing 6 of 6)

Show 201 prereleases

Version	Deps	Published
1.0.0	10 / 3	2026-05-19
0.3.30	15 / 58	2026-05-18
0.3.29	15 / 58	2026-05-08
0.3.28	15 / 56	2025-12-03
0.3.27	14 / 55	2025-09-19
0.3.26	14 / 55	2025-08-18

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.30

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.28

3 findings

HIGH env-spread: browser/cli-ts-node-esm.js:8 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/typeorm/typeorm/blob/73fda419e4647c10377b28bd975171156c285693/browser/cli-ts-node-esm.js#L8 6 | const childProcess = spawnSync(process.argv[0], process.argv.slice(1), { 7 | stdio: "inherit", > 8 | env: { 9 | ...process.env, 10 | NODE_OPTIONS: [

HIGH env-spread: cli-ts-node-esm.js:10 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/typeorm/typeorm/blob/73fda419e4647c10377b28bd975171156c285693/cli-ts-node-esm.js#L10 8 | const childProcess = (0, child_process_1.spawnSync)(process.argv[0], process.argv.slice(1), { 9 | stdio: "inherit", > 10 | env: { 11 | ...process.env, 12 | NODE_OPTIONS: [

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.27

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.26

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.