@adobe/helix-universal
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Intentional AWS adapter pattern: passes process.env to Lambda invocation context, not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard AWS API Gateway body decoding; legitimate adapter behavior, not payload obfuscation. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 5.4.2 | 2 / 18 | |
| 5.4.1 | 2 / 18 | |
| 5.4.0 | 2 / 18 | |
| 5.3.0 | 2 / 18 | |
| 5.2.3 | 2 / 18 | |
| 5.2.2 | 2 / 17 |
v5.4.2
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/3aae4de382916b13ab48106dcdc8ff41b8f43fca/src/aws-adapter.js#L213 211 | event, 212 | }, > 213 | env: { 214 | ...process.env, 215 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/3aae4de382916b13ab48106dcdc8ff41b8f43fca/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/3aae4de382916b13ab48106dcdc8ff41b8f43fca/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.4.1
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/98dd3bc635d01eed8b177bb2eeea2ad78d1b3a00/src/aws-adapter.js#L213 211 | event, 212 | }, > 213 | env: { 214 | ...process.env, 215 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/98dd3bc635d01eed8b177bb2eeea2ad78d1b3a00/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/98dd3bc635d01eed8b177bb2eeea2ad78d1b3a00/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.4.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/d2f6cd9053e2fdca1f11d2c4b98550edc2088e90/src/aws-adapter.js#L213 211 | event, 212 | }, > 213 | env: { 214 | ...process.env, 215 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/d2f6cd9053e2fdca1f11d2c4b98550edc2088e90/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/d2f6cd9053e2fdca1f11d2c4b98550edc2088e90/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.3.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/750ce7397de82cdc10ef382ca4206e6dc9af413b/src/aws-adapter.js#L211 209 | event, 210 | }, > 211 | env: { 212 | ...process.env, 213 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/750ce7397de82cdc10ef382ca4206e6dc9af413b/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/750ce7397de82cdc10ef382ca4206e6dc9af413b/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.3
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/e2c9669487766154cdd5cff1a1950c896c15b471/src/aws-adapter.js#L211 209 | event, 210 | }, > 211 | env: { 212 | ...process.env, 213 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/e2c9669487766154cdd5cff1a1950c896c15b471/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/e2c9669487766154cdd5cff1a1950c896c15b471/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.2.2
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/cdd2a5607fe781add7b06c892254ca4d7a9c1bdb/src/aws-adapter.js#L211 209 | event, 210 | }, > 211 | env: { 212 | ...process.env, 213 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/cdd2a5607fe781add7b06c892254ca4d7a9c1bdb/src/google-adapter.js#L78 76 | requestId: request.headers.get('x-cloud-trace-context'), 77 | }, > 78 | env: { 79 | ...process.env, 80 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/adobe/helix-universal/blob/cdd2a5607fe781add7b06c892254ca4d7a9c1bdb/src/openwhisk-adapter.js#L64 62 | } 63 | > 64 | const env = { ...process.env }; 65 | delete env.__OW_API_KEY; 66 | let host = env.__OW_API_HOST || 'https://localhost';
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.