← Home

@agnishc/edb-diff-files

npm Repository Homepage

Pi extension: live widget tracking files changed this session with an inline diff viewer

17
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

agnishc

Keywords

pi-packagepi-extensionedbgit

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:silent-process-exec AI (semgrep): Pattern is opening a user-configured editor with a file path; detached/unref is standard for launching GUI apps. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same editor-launch pattern; variable is a user-configured editor path filtered against a known-candidates list. ai

Versions (showing 17 of 17)

Version Deps Published
0.14.2 0 / 0
0.14.0 0 / 0
0.13.0 0 / 0
0.12.0 0 / 0
0.10.9 0 / 0
0.10.8 0 / 0
0.10.6 0 / 0
0.10.5 0 / 0
0.10.4 0 / 0
0.10.3 0 / 0
0.8.2 0 / 0
0.8.1 0 / 0
0.6.1 0 / 0
0.5.1 0 / 0
0.5.0 0 / 0
0.4.0 0 / 0
0.1.0 0 / 0

v0.14.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.14.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

7 findings
HIGH silent-process-exec: src/index.ts:35 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L35 33 | const base = basename(configured); 34 | if (candidates.some((e) => base.includes(e))) { > 35 | spawn(configured, [filePath], { detached: true, stdio: "ignore" }).unref(); 36 | return `Opened in ${base}`; 37 | }

HIGH silent-process-exec-var: src/index.ts:35 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L35 33 | const base = basename(configured); 34 | if (candidates.some((e) => base.includes(e))) { > 35 | spawn(configured, [filePath], { detached: true, stdio: "ignore" }).unref(); 36 | return `Opened in ${base}`; 37 | }

HIGH silent-process-exec: src/index.ts:43 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L43 41 | const w = spawnSync("which", [editor], { encoding: "utf-8", stdio: "pipe" }); 42 | if (w.status === 0) { > 43 | spawn(editor, [filePath], { detached: true, stdio: "ignore" }).unref(); 44 | return `Opened in ${editor}`; 45 | }

HIGH silent-process-exec-var: src/index.ts:43 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L43 41 | const w = spawnSync("which", [editor], { encoding: "utf-8", stdio: "pipe" }); 42 | if (w.status === 0) { > 43 | spawn(editor, [filePath], { detached: true, stdio: "ignore" }).unref(); 44 | return `Opened in ${editor}`; 45 | }

HIGH silent-process-exec: src/index.ts:50 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L50 48 | // Platform fallback 49 | const opener = process.platform === "darwin" ? "open" : "xdg-open"; > 50 | spawn(opener, [filePath], { detached: true, stdio: "ignore" }).unref(); 51 | return "Opened in default app"; 52 | }

HIGH silent-process-exec-var: src/index.ts:50 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/91e03a14cb162db5272dd9ccd55cc11473be3514/src/index.ts#L50 48 | // Platform fallback 49 | const opener = process.platform === "darwin" ? "open" : "xdg-open"; > 50 | spawn(opener, [filePath], { detached: true, stdio: "ignore" }).unref(); 51 | return "Opened in default app"; 52 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

7 findings
HIGH silent-process-exec: src/index.ts:35 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L35 33 | const base = basename(configured); 34 | if (candidates.some((e) => base.includes(e))) { > 35 | spawn(configured, [filePath], { detached: true, stdio: "ignore" }).unref(); 36 | return `Opened in ${base}`; 37 | }

HIGH silent-process-exec-var: src/index.ts:35 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L35 33 | const base = basename(configured); 34 | if (candidates.some((e) => base.includes(e))) { > 35 | spawn(configured, [filePath], { detached: true, stdio: "ignore" }).unref(); 36 | return `Opened in ${base}`; 37 | }

HIGH silent-process-exec: src/index.ts:43 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L43 41 | const w = spawnSync("which", [editor], { encoding: "utf-8", stdio: "pipe" }); 42 | if (w.status === 0) { > 43 | spawn(editor, [filePath], { detached: true, stdio: "ignore" }).unref(); 44 | return `Opened in ${editor}`; 45 | }

HIGH silent-process-exec-var: src/index.ts:43 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L43 41 | const w = spawnSync("which", [editor], { encoding: "utf-8", stdio: "pipe" }); 42 | if (w.status === 0) { > 43 | spawn(editor, [filePath], { detached: true, stdio: "ignore" }).unref(); 44 | return `Opened in ${editor}`; 45 | }

HIGH silent-process-exec: src/index.ts:50 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L50 48 | // Platform fallback 49 | const opener = process.platform === "darwin" ? "open" : "xdg-open"; > 50 | spawn(opener, [filePath], { detached: true, stdio: "ignore" }).unref(); 51 | return "Opened in default app"; 52 | }

HIGH silent-process-exec-var: src/index.ts:50 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/agnishcc/pi-extention-monorepo/blob/d0d25df0a116b88dbdb1744216348ce11d576649/src/index.ts#L50 48 | // Platform fallback 49 | const opener = process.platform === "darwin" ? "open" : "xdg-open"; > 50 | spawn(opener, [filePath], { detached: true, stdio: "ignore" }).unref(); 51 | return "Opened in default app"; 52 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.