@0gfoundation/0g-compute-ts-sdk

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

overi0g-jiahao0g-will0g-xie0g-peterzhang

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Fires in test file saving/restoring process.env — standard test setup pattern, not malicious.	ai	2026/05/15
semgrep	semgrep:child-process-import	AI (semgrep): Used in integration test harness to invoke the CLI binary under test.	ai	2026/05/15
semgrep	semgrep:hex-decode	AI (semgrep): Hex decode is part of standard ethers keccak256 signing flow, not payload hiding.	ai	2026/05/15
semgrep	semgrep:base64-decode	AI (semgrep): Decoding a base64 config response field — normal API response handling.	ai	2026/05/15
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Fires in bundled Next.js web-UI static output; raw IPs in minified bundles are common for default/example configs.	ai	2026/05/15
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get in bundled Next.js chunk is standard webpack/framework output, not intentional obfuscation.	ai	2026/05/15
phantom-deps	phantom-dep:util	AI (phantom-deps): Browser polyfill declared for bundler config; not a direct import but legitimately needed.	ai	2026/05/15
phantom-deps	phantom-dep:brotli	AI (phantom-deps): Declared as runtime dep for compression; phantom-dep heuristic false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:buffer	AI (phantom-deps): Browser polyfill in bundler config; stable false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): Used in CLI runtime config loading; phantom-dep heuristic false positive.	ai	2026/05/15
phantom-deps	phantom-dep:crypto-js	AI (phantom-deps): Declared dep used transitively; stable false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:circomlibjs	AI (phantom-deps): ZK library dep; phantom-dep heuristic false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:stream-browserify	AI (phantom-deps): Browser polyfill in bundler config; stable false positive.	ai	2026/05/15
phantom-deps	phantom-dep:@ethersproject/bytes	AI (phantom-deps): Ethers utility dep; phantom-dep heuristic false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:@ethersproject/keccak256	AI (phantom-deps): Ethers utility dep; phantom-dep heuristic false positive for this package.	ai	2026/05/15

Versions (showing 3 of 3)

Version	Deps	Published
0.8.3	21 / 33	2026-05-10
0.8.2	21 / 33	2026-05-08
0.8.0	21 / 33	2026-04-30

v0.8.3

4 findings

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:16 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c0ffde81392039a86d06a9a05226240ff9e65d7d/cli.commonjs/cli/__tests__/cli.integration.test.js#L16 14 | (0, mocha_1.beforeEach)(() => { 15 | // Save original environment > 16 | originalEnv = { ...process.env }; 17 | // Create temp directory for test files 18 | tempDir = fs.mkdtempSync(path.join(os.tmpdir(), '0g-cli-test-'));

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c0ffde81392039a86d06a9a05226240ff9e65d7d/cli.commonjs/cli/__tests__/cli.integration.test.js#L64 62 | // Kill immediately to avoid interactive mode 63 | const child = (0, child_process_1.spawn)('node', [cliPath, 'login'], { > 64 | env: { ...process.env }, 65 | cwd: process.cwd(), 66 | });

HIGH env-spread: cli.commonjs/cli/web-ui-embedded.js:249 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/c0ffde81392039a86d06a9a05226240ff9e65d7d/cli.commonjs/cli/web-ui-embedded.js#L249 247 | cwd: standalonePath, 248 | stdio: 'inherit', > 249 | env: { 250 | ...process.env, 251 | PORT: port.toString(),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.2

4 findings

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:16 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/8bcf61300a222b182393f71bd45c49213b74af9d/cli.commonjs/cli/__tests__/cli.integration.test.js#L16 14 | (0, mocha_1.beforeEach)(() => { 15 | // Save original environment > 16 | originalEnv = { ...process.env }; 17 | // Create temp directory for test files 18 | tempDir = fs.mkdtempSync(path.join(os.tmpdir(), '0g-cli-test-'));

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/8bcf61300a222b182393f71bd45c49213b74af9d/cli.commonjs/cli/__tests__/cli.integration.test.js#L64 62 | // Kill immediately to avoid interactive mode 63 | const child = (0, child_process_1.spawn)('node', [cliPath, 'login'], { > 64 | env: { ...process.env }, 65 | cwd: process.cwd(), 66 | });

HIGH env-spread: cli.commonjs/cli/web-ui-embedded.js:249 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/8bcf61300a222b182393f71bd45c49213b74af9d/cli.commonjs/cli/web-ui-embedded.js#L249 247 | cwd: standalonePath, 248 | stdio: 'inherit', > 249 | env: { 250 | ...process.env, 251 | PORT: port.toString(),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.0

4 findings

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:16 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/937e7ce1343e7d4ca5f8328373c156a472a9a63a/cli.commonjs/cli/__tests__/cli.integration.test.js#L16 14 | (0, mocha_1.beforeEach)(() => { 15 | // Save original environment > 16 | originalEnv = { ...process.env }; 17 | // Create temp directory for test files 18 | tempDir = fs.mkdtempSync(path.join(os.tmpdir(), '0g-cli-test-'));

HIGH env-spread: cli.commonjs/cli/__tests__/cli.integration.test.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/937e7ce1343e7d4ca5f8328373c156a472a9a63a/cli.commonjs/cli/__tests__/cli.integration.test.js#L64 62 | // Kill immediately to avoid interactive mode 63 | const child = (0, child_process_1.spawn)('node', [cliPath, 'login'], { > 64 | env: { ...process.env }, 65 | cwd: process.cwd(), 66 | });

HIGH env-spread: cli.commonjs/cli/web-ui-embedded.js:249 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/0glabs/0g-serving-user-broker/blob/937e7ce1343e7d4ca5f8328373c156a472a9a63a/cli.commonjs/cli/web-ui-embedded.js#L249 247 | cwd: standalonePath, 248 | stdio: 'inherit', > 249 | env: { 250 | ...process.env, 251 | PORT: port.toString(),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.