@anthropic-ai/claude-agent-sdk

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 2 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 8 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package contains compiled binaries that could be backdoors: • vendor/ripgrep/arm64-darwin/rg • vendor/ripgrep/arm64-linux/rg • vendor/ripgrep/x64-darwin/rg • vendor/ripgrep/x64-linux/rg • vendor/ripgrep/arm64-win32/rg.exe • vendor/ripgrep/x64-win32/rg.exe • vendor/audio-capture/arm64-darwin/audio-capture.node • vendor/audio-capture/arm64-linux/audio-capture.node • vendor/audio-capture/arm64-win32/audio-capture.node • vendor/audio-capture/x64-darwin/audio-capture.node ... and 8 more

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else N7.streamInput(Q);return N7}function Fx(Q){return DQ(Q)}function Lx(Q,X){return FW(Q,X)}async function Nx(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 64 | ]))`;continue}}if($.s&&Y[z]==="."){G+=W?`${Y[z]}\r 65 | `:`[${Y[z]}\r > 66 | ]`;continue}if(G+=Y[z],Y[z]==="\\")J=!0;else if(W&&Y[z]==="]")W=!1;else if(!W&&Y[z]==="[")W=!0}try{new RegExp(G)}catch{r 67 | `);else A7.streamInput(Q);return A7}function $m(Q){return wX(Q)}function Ym(Q,X){return aJ(Q,X)}async function Gm(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(Q);return K7}function tT(Q){return UQ(Q)}function aT(Q,X){return BW(Q,X)}async function sT(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(Q);return K7}function tT(Q){return UQ(Q)}function aT(Q,X){return BW(Q,X)}async function sT(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(Q);return K7}function tT(Q){return UQ(Q)}function aT(Q,X){return BW(Q,X)}async function sT(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else V7.streamInput(Q);return V7}function Qx(Q){return LQ(Q)}function Xx(Q,X){return KW(Q,X)}async function Yx(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(Q);return z7}function eT(Q){return qQ(Q)}function Qx(Q,X){return KW(Q,X)}async function Xx(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if(Y.s&&$[B]==="."){W+=G?`${$[B]}\r 54 | `:`[${$[B]}\r > 55 | ]`;continue}if(W+=$[B],$[B]==="\\")J=!0;else if(G&&$[B]==="]")G=!1;else if(!G&&$[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(Q);return z7}function eT(Q){return qQ(Q)}function Qx(Q,X){return KW(Q,X)}async function Xx(Q,X){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(X);return K7}function Yx(X){return L9(X)}function Wx(X,Q){return VW(X,Q)}async function Jx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(X);return K7}function $x(X){return L9(X)}function Yx(X,Q){return VW(X,Q)}async function Wx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(X);return K7}function $x(X){return L9(X)}function Yx(X,Q){return VW(X,Q)}async function Wx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else K7.streamInput(X);return K7}function $x(X){return L9(X)}function Yx(X,Q){return VW(X,Q)}async function Wx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function e_(X){return V9(X)}function Xx(X,Q){return UW(X,Q)}async function Qx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function e_(X){return V9(X)}function Xx(X,Q){return UW(X,Q)}async function Qx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function e_(X){return V9(X)}function Xx(X,Q){return UW(X,Q)}async function Qx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function e_(X){return V9(X)}function Xx(X,Q){return UW(X,Q)}async function Qx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function s_(X){return V9(X)}function e_(X,Q){return UW(X,Q)}async function Xx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function s_(X){return V9(X)}function e_(X,Q){return UW(X,Q)}async function Xx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function s_(X){return V9(X)}function e_(X,Q){return UW(X,Q)}async function Xx(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return UW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return UW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return UW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return UW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return UW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return KW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function t_(X){return V9(X)}function a_(X,Q){return KW(X,Q)}async function s_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function o_(X){return V9(X)}function t_(X,Q){return KW(X,Q)}async function a_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Spreading entire process.env into an object — may capture all secrets 53 | ]))`;continue}}if($.s&&Y[B]==="."){W+=G?`${Y[B]}\r 54 | `:`[${Y[B]}\r > 55 | ]`;continue}if(W+=Y[B],Y[B]==="\\")J=!0;else if(G&&Y[B]==="]")G=!1;else if(!G&&Y[B]==="[")G=!0}try{new RegExp(W)}catch{r 56 | `);else z7.streamInput(X);return z7}function p_(X){return V9(X)}function d_(X,Q){return zW(X,Q)}async function i_(X,Q){l

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.