@amodalai/studio
Agent editor — draft workspace, file browser, and publish flow for amodal agents
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires in e2e test asserting path-traversal is blocked; not production credential access. | ai | |
| phantom-deps | phantom-dep:next | AI (phantom-deps): Next.js framework dependency; referenced via config and re-exported, not direct imports. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): React is a direct dependency for this UI library; phantom-dep heuristic misses config-based imports. | ai | |
| phantom-deps | phantom-dep:@codemirror/view | AI (phantom-deps): CodeMirror packages are direct dependencies; config-based usage pattern. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used only for safe globalThis.window environment detection; not obfuscation. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer dep for React app consumers; bundled not directly imported. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Fires only in a test file spawning a child process; standard test harness pattern, not a secret leak. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/typography | AI (phantom-deps): Declared dep used via tailwind config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pg | AI (phantom-deps): pg is a declared runtime dep used via config/indirect imports; phantom-dep heuristic misfires for this package. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): postcss is a declared dep used via config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): tailwindcss is a declared dep used via config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:autoprefixer | AI (phantom-deps): autoprefixer is a declared dep used via config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-markdown | AI (phantom-deps): react-markdown is a declared dep; phantom-dep heuristic misfires for this package. | ai |
Versions (showing 51 of 95)
| Version | Deps | Published |
|---|---|---|
| 0.3.96 | 28 / 9 | |
| 0.3.95 | 28 / 9 | |
| 0.3.94 | 28 / 9 | |
| 0.3.93 | 28 / 9 | |
| 0.3.92 | 28 / 9 | |
| 0.3.91 | 28 / 9 | |
| 0.3.90 | 28 / 9 | |
| 0.3.89 | 28 / 9 | |
| 0.3.88 | 28 / 9 | |
| 0.3.87 | 28 / 9 | |
| 0.3.86 | 28 / 9 | |
| 0.3.85 | 28 / 9 | |
| 0.3.84 | 28 / 9 | |
| 0.3.83 | 28 / 9 | |
| 0.3.82 | 28 / 9 | |
| 0.3.81 | 28 / 9 | |
| 0.3.80 | 28 / 9 | |
| 0.3.79 | 28 / 9 | |
| 0.3.78 | 28 / 9 | |
| 0.3.77 | 28 / 9 | |
| 0.3.76 | 28 / 9 | |
| 0.3.75 | 28 / 9 | |
| 0.3.74 | 28 / 9 | |
| 0.3.73 | 28 / 9 | |
| 0.3.72 | 28 / 9 | |
| 0.3.71 | 28 / 9 | |
| 0.3.70 | 28 / 9 | |
| 0.3.69 | 28 / 9 | |
| 0.3.68 | 28 / 9 | |
| 0.3.67 | 28 / 9 | |
| 0.3.66 | 28 / 9 | |
| 0.3.65 | 28 / 9 | |
| 0.3.64 | 28 / 9 | |
| 0.3.63 | 28 / 9 | |
| 0.3.62 | 28 / 9 | |
| 0.3.61 | 28 / 9 | |
| 0.3.60 | 28 / 9 | |
| 0.3.59 | 28 / 9 | |
| 0.3.58 | 28 / 9 | |
| 0.3.57 | 28 / 9 | |
| 0.3.56 | 28 / 9 | |
| 0.3.55 | 28 / 9 | |
| 0.3.54 | 28 / 9 | |
| 0.3.53 | 28 / 9 | |
| 0.3.52 | 28 / 9 | |
| 0.3.51 | 28 / 9 | |
| 0.3.50 | 28 / 9 | |
| 0.3.49 | 26 / 9 | |
| 0.3.48 | 26 / 9 | |
| 0.3.47 | 26 / 9 | |
| 0.3.46 | 26 / 9 |
v0.3.96
5 findingsSpreading entire process.env into an object — may capture all secrets 5908 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5909 | await fs3.mkdir(blobRoot, { recursive: true }); > 5910 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5911 | try { 5912 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5981 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5982 | ); > 5983 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5984 | try { 5985 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5967 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5968 | await fs3.mkdir(blobRoot, { recursive: true }); > 5969 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5970 | try { 5971 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 6040 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 6041 | ); > 6042 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 6043 | try { 6044 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.95
5 findingsSpreading entire process.env into an object — may capture all secrets 5924 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5925 | await fs3.mkdir(blobRoot, { recursive: true }); > 5926 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5927 | try { 5928 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5997 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5998 | ); > 5999 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 6000 | try { 6001 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5983 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5984 | await fs3.mkdir(blobRoot, { recursive: true }); > 5985 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5986 | try { 5987 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 6056 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 6057 | ); > 6058 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 6059 | try { 6060 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.94
5 findingsSpreading entire process.env into an object — may capture all secrets 5785 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5786 | await fs3.mkdir(blobRoot, { recursive: true }); > 5787 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5788 | try { 5789 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5858 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5859 | ); > 5860 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5861 | try { 5862 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5841 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5842 | await fs3.mkdir(blobRoot, { recursive: true }); > 5843 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5844 | try { 5845 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5914 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5915 | ); > 5916 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5917 | try { 5918 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.93
5 findingsSpreading entire process.env into an object — may capture all secrets 5744 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5745 | await fs3.mkdir(blobRoot, { recursive: true }); > 5746 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5747 | try { 5748 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5832 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5833 | ); > 5834 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5835 | try { 5836 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5800 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5801 | await fs3.mkdir(blobRoot, { recursive: true }); > 5802 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5803 | try { 5804 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5888 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5889 | ); > 5890 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5891 | try { 5892 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.92
5 findingsSpreading entire process.env into an object — may capture all secrets 5744 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5745 | await fs3.mkdir(blobRoot, { recursive: true }); > 5746 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5747 | try { 5748 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5832 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5833 | ); > 5834 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5835 | try { 5836 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5800 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5801 | await fs3.mkdir(blobRoot, { recursive: true }); > 5802 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5803 | try { 5804 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5888 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5889 | ); > 5890 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5891 | try { 5892 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.91
5 findingsSpreading entire process.env into an object — may capture all secrets 5700 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5701 | await fs3.mkdir(blobRoot, { recursive: true }); > 5702 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5703 | try { 5704 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5788 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5789 | ); > 5790 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5791 | try { 5792 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5756 | const blobRoot = path7.join(tmpRoot, `blobs-${token}`); 5757 | await fs3.mkdir(blobRoot, { recursive: true }); > 5758 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5759 | try { 5760 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5844 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5845 | ); > 5846 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5847 | try { 5848 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.90
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.89
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.88
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.87
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.86
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.85
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.84
5 findingsSpreading entire process.env into an object — may capture all secrets 2291 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2292 | await fs3.mkdir(blobRoot, { recursive: true }); > 2293 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2294 | try { 2295 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2379 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2380 | ); > 2381 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2382 | try { 2383 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2256 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2257 | await fs3.mkdir(blobRoot, { recursive: true }); > 2258 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2259 | try { 2260 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2344 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 2345 | ); > 2346 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2347 | try { 2348 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.83
5 findingsSpreading entire process.env into an object — may capture all secrets 2115 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2116 | await fs3.mkdir(blobRoot, { recursive: true }); > 2117 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2118 | try { 2119 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2203 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2204 | ); > 2205 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2206 | try { 2207 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2074 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2075 | await fs3.mkdir(blobRoot, { recursive: true }); > 2076 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2077 | try { 2078 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2162 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2163 | ); > 2164 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2165 | try { 2166 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.82
5 findingsSpreading entire process.env into an object — may capture all secrets 2115 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2116 | await fs3.mkdir(blobRoot, { recursive: true }); > 2117 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2118 | try { 2119 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2203 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2204 | ); > 2205 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2206 | try { 2207 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2074 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2075 | await fs3.mkdir(blobRoot, { recursive: true }); > 2076 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2077 | try { 2078 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2162 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2163 | ); > 2164 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2165 | try { 2166 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.81
5 findingsSpreading entire process.env into an object — may capture all secrets 2099 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2100 | await fs3.mkdir(blobRoot, { recursive: true }); > 2101 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2102 | try { 2103 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2187 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2188 | ); > 2189 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2190 | try { 2191 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2058 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2059 | await fs3.mkdir(blobRoot, { recursive: true }); > 2060 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2061 | try { 2062 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2146 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2147 | ); > 2148 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2149 | try { 2150 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.80
5 findingsSpreading entire process.env into an object — may capture all secrets 2099 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2100 | await fs3.mkdir(blobRoot, { recursive: true }); > 2101 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2102 | try { 2103 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2187 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2188 | ); > 2189 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2190 | try { 2191 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2058 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2059 | await fs3.mkdir(blobRoot, { recursive: true }); > 2060 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2061 | try { 2062 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2146 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2147 | ); > 2148 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2149 | try { 2150 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.79
5 findingsSpreading entire process.env into an object — may capture all secrets 2096 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2097 | await fs3.mkdir(blobRoot, { recursive: true }); > 2098 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2099 | try { 2100 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2184 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2185 | ); > 2186 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2187 | try { 2188 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2055 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2056 | await fs3.mkdir(blobRoot, { recursive: true }); > 2057 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2058 | try { 2059 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2143 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2144 | ); > 2145 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2146 | try { 2147 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.78
5 findingsSpreading entire process.env into an object — may capture all secrets 2061 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2062 | await fs3.mkdir(blobRoot, { recursive: true }); > 2063 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2064 | try { 2065 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2149 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2150 | ); > 2151 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2152 | try { 2153 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 2033 | const blobRoot = path3.join(tmpRoot, `blobs-${token}`); 2034 | await fs3.mkdir(blobRoot, { recursive: true }); > 2035 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2036 | try { 2037 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 2121 | `deploy-index-${randomUUID().replace(/-/g, "")}` 2122 | ); > 2123 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 2124 | try { 2125 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.77
5 findingsSpreading entire process.env into an object — may capture all secrets 5410 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5411 | await fs3.mkdir(blobRoot, { recursive: true }); > 5412 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5413 | try { 5414 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5498 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5499 | ); > 5500 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5501 | try { 5502 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5454 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5455 | await fs3.mkdir(blobRoot, { recursive: true }); > 5456 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5457 | try { 5458 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5542 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5543 | ); > 5544 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5545 | try { 5546 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.76
5 findingsSpreading entire process.env into an object — may capture all secrets 5392 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5393 | await fs3.mkdir(blobRoot, { recursive: true }); > 5394 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5395 | try { 5396 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5480 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5481 | ); > 5482 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5483 | try { 5484 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5436 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5437 | await fs3.mkdir(blobRoot, { recursive: true }); > 5438 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5439 | try { 5440 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5524 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5525 | ); > 5526 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5527 | try { 5528 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.75
5 findingsSpreading entire process.env into an object — may capture all secrets 5133 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5134 | await fs3.mkdir(blobRoot, { recursive: true }); > 5135 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5136 | try { 5137 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5221 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5222 | ); > 5223 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5224 | try { 5225 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5156 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5157 | await fs3.mkdir(blobRoot, { recursive: true }); > 5158 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5159 | try { 5160 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5244 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5245 | ); > 5246 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5247 | try { 5248 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.74
5 findingsSpreading entire process.env into an object — may capture all secrets 5133 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5134 | await fs3.mkdir(blobRoot, { recursive: true }); > 5135 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5136 | try { 5137 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5221 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5222 | ); > 5223 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5224 | try { 5225 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 5156 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 5157 | await fs3.mkdir(blobRoot, { recursive: true }); > 5158 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5159 | try { 5160 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5244 | `deploy-index-${randomUUID3().replace(/-/g, "")}` 5245 | ); > 5246 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5247 | try { 5248 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.73
5 findingsSpreading entire process.env into an object — may capture all secrets 4915 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4916 | await fs3.mkdir(blobRoot, { recursive: true }); > 4917 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4918 | try { 4919 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5003 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5004 | ); > 5005 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5006 | try { 5007 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4935 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4936 | await fs3.mkdir(blobRoot, { recursive: true }); > 4937 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4938 | try { 4939 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5023 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5024 | ); > 5025 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5026 | try { 5027 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.72
5 findingsSpreading entire process.env into an object — may capture all secrets 4915 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4916 | await fs3.mkdir(blobRoot, { recursive: true }); > 4917 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4918 | try { 4919 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5003 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5004 | ); > 5005 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5006 | try { 5007 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4935 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4936 | await fs3.mkdir(blobRoot, { recursive: true }); > 4937 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4938 | try { 4939 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5023 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5024 | ); > 5025 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5026 | try { 5027 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.71
5 findingsSpreading entire process.env into an object — may capture all secrets 4911 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4912 | await fs3.mkdir(blobRoot, { recursive: true }); > 4913 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4914 | try { 4915 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4999 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5000 | ); > 5001 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5002 | try { 5003 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4931 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4932 | await fs3.mkdir(blobRoot, { recursive: true }); > 4933 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4934 | try { 4935 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 5019 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 5020 | ); > 5021 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 5022 | try { 5023 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.70
5 findingsSpreading entire process.env into an object — may capture all secrets 4681 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4682 | await fs3.mkdir(blobRoot, { recursive: true }); > 4683 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4684 | try { 4685 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4769 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4770 | ); > 4771 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4772 | try { 4773 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4701 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4702 | await fs3.mkdir(blobRoot, { recursive: true }); > 4703 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4704 | try { 4705 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4789 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4790 | ); > 4791 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4792 | try { 4793 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.69
5 findingsSpreading entire process.env into an object — may capture all secrets 4337 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4338 | await fs3.mkdir(blobRoot, { recursive: true }); > 4339 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4340 | try { 4341 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4425 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4426 | ); > 4427 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4428 | try { 4429 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4357 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4358 | await fs3.mkdir(blobRoot, { recursive: true }); > 4359 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4360 | try { 4361 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4445 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4446 | ); > 4447 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4448 | try { 4449 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.68
5 findingsSpreading entire process.env into an object — may capture all secrets 4337 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4338 | await fs3.mkdir(blobRoot, { recursive: true }); > 4339 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4340 | try { 4341 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4425 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4426 | ); > 4427 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4428 | try { 4429 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4357 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4358 | await fs3.mkdir(blobRoot, { recursive: true }); > 4359 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4360 | try { 4361 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4445 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4446 | ); > 4447 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4448 | try { 4449 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.67
5 findingsSpreading entire process.env into an object — may capture all secrets 4337 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4338 | await fs3.mkdir(blobRoot, { recursive: true }); > 4339 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4340 | try { 4341 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4425 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4426 | ); > 4427 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4428 | try { 4429 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4357 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4358 | await fs3.mkdir(blobRoot, { recursive: true }); > 4359 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4360 | try { 4361 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4445 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4446 | ); > 4447 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4448 | try { 4449 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.66
5 findingsSpreading entire process.env into an object — may capture all secrets 4216 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4217 | await fs3.mkdir(blobRoot, { recursive: true }); > 4218 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4219 | try { 4220 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4304 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4305 | ); > 4306 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4307 | try { 4308 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Spreading entire process.env into an object — may capture all secrets 4236 | const blobRoot = path9.join(tmpRoot, `blobs-${token}`); 4237 | await fs3.mkdir(blobRoot, { recursive: true }); > 4238 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4239 | try { 4240 | await gitWithEnv(repoPath, ["read-tree", input.parentCommit], env);
Spreading entire process.env into an object — may capture all secrets 4324 | `deploy-index-${randomUUID2().replace(/-/g, "")}` 4325 | ); > 4326 | const env = { ...process.env, GIT_INDEX_FILE: indexPath }; 4327 | try { 4328 | await gitWithEnv(repoPath, ["read-tree", commitSha], env);
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.65
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.64
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.63
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.62
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.61
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.60
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.59
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.58
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.57
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.56
2 findingsSpreading entire process.env into an object — may capture all secrets 42 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 43 | cwd: STUDIO_DIR, > 44 | env: { 45 | ...process.env, 46 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.55
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.54
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.53
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.52
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.51
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.50
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.49
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.48
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.47
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.46
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const child = spawn('npx', ['tsx', 'src/server/studio-server.ts'], { 36 | cwd: STUDIO_DIR, > 37 | env: { 38 | ...process.env, 39 | PORT: String(port),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.