@abhinav2203/codeflow-store
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into spawn() options is the standard Node.js pattern for child process environment inheritance, not secret exfiltration. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 1.0.14 | 2 / 3 | |
| 1.0.13 | 2 / 3 | |
| 1.0.7 | 2 / 3 | |
| 1.0.6 | 2 / 3 | |
| 1.0.5 | 2 / 3 | |
| 1.0.4 | 2 / 3 | |
| 1.0.3 | 2 / 3 | |
| 1.0.2 | 2 / 3 | |
| 1.0.1 | 2 / 3 | |
| 1.0.0 | 2 / 3 | |
| 0.2.5 | 2 / 3 | |
| 0.2.4 | 2 / 3 | |
| 0.2.3 | 2 / 3 | |
| 0.2.2 | 2 / 3 | |
| 0.2.1 | 2 / 3 | |
| 0.2.0 | 2 / 3 | |
| 0.1.0 | 2 / 3 |
v1.0.14
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.13
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.7
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.5
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.5
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
2 findingsSpreading entire process.env into an object — may capture all secrets 142 | const child = spawn(shell, [], { 143 | cwd, > 144 | env: { 145 | ...process.env, 146 | TERM: process.env.TERM || "xterm-256color"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.