← Home

@arcote.tech/arc-cli

npm

CLI tool for Arc framework

32
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arcote.tech

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Fires on a JSDoc comment describing path traversal defense, not actual /etc/passwd access. ai
semgrep semgrep:env-spread AI (semgrep): CLI tool spawning child processes with process.env is standard; no exfiltration path. ai
semgrep semgrep:ssh-key-access AI (semgrep): SSH key path appears in a Terraform template string as a default value, not credential access. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 loopback address for local Caddy management listener; not a remote exfiltration endpoint. ai
phantom-deps phantom-dep:@arcote.tech/arc-ds AI (phantom-deps): Externalized in build script; declared as runtime dep but not directly imported in CLI source. ai
phantom-deps phantom-dep:@arcote.tech/arc-react AI (phantom-deps): Externalized in build script; declared as runtime dep but not directly imported in CLI source. ai

Versions (showing 32 of 32)

Version Deps Published
0.7.12 26 / 2
0.7.11 26 / 2
0.7.10 26 / 2
0.7.9 26 / 2
0.7.8 26 / 2
0.7.7 26 / 2
0.7.6 14 / 2
0.7.5 13 / 2
0.7.4 12 / 2
0.7.3 12 / 2
0.7.1 12 / 2
0.7.0 12 / 2
0.6.2 12 / 2
0.6.1 12 / 2
0.6.0 12 / 2
0.5.8 12 / 2
0.5.7 12 / 2
0.5.6 12 / 2
0.5.5 12 / 2
0.5.2 11 / 2
0.5.1 11 / 2
0.5.0 11 / 2
0.4.10 5 / 2
0.4.9 5 / 2
0.4.8 5 / 2
0.4.7 5 / 2
0.4.6 5 / 2
0.4.5 5 / 2
0.4.2 5 / 2
0.4.1 5 / 2
0.3.1 5 / 2
0.3.0 5 / 2

v0.7.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

5 findings
HIGH env-spread: src/builder/access-extractor.ts:75 semgrep

Spreading entire process.env into an object — may capture all secrets 73 | cmd: ["bun", "run", workerPath], 74 | cwd: rootDir, > 75 | env: { 76 | ...process.env, 77 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:81 semgrep

Spreading entire process.env into an object — may capture all secrets 79 | cwd: workDir, 80 | stdio: ["ignore", "pipe", "pipe"], > 81 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 82 | }, 83 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

5 findings
HIGH env-spread: src/builder/access-extractor.ts:75 semgrep

Spreading entire process.env into an object — may capture all secrets 73 | cmd: ["bun", "run", workerPath], 74 | cwd: rootDir, > 75 | env: { 76 | ...process.env, 77 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:81 semgrep

Spreading entire process.env into an object — may capture all secrets 79 | cwd: workDir, 80 | stdio: ["ignore", "pipe", "pipe"], > 81 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 82 | }, 83 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

6 findings
HIGH env-spread: src/builder/access-extractor.ts:90 semgrep

Spreading entire process.env into an object — may capture all secrets 88 | cmd: ["bun", "run", workerPath], 89 | cwd: rootDir, > 90 | env: { 91 | ...process.env, 92 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:61 semgrep

Spreading entire process.env into an object — may capture all secrets 59 | cwd: workDir, 60 | stdio: ["ignore", "pipe", "pipe"], > 61 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 62 | }, 63 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

HIGH etc-passwd-access: src/platform/server.ts:289 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 287 | 288 | /** Chunk names must be alphanumeric + dash/underscore — defends against > 289 | * path traversal in URL segments like `/modules/../../etc/passwd`. */ 290 | const CHUNK_NAME_RE = /^[A-Za-z0-9_-]+$/; 291 | /** Module filenames are Bun.build outputs — `<safeName>.js` or `chunk-<hash>.js`. */

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.2

5 findings
HIGH env-spread: src/builder/access-extractor.ts:60 semgrep

Spreading entire process.env into an object — may capture all secrets 58 | const proc = spawn({ 59 | cmd: ["bun", "run", workerPath], > 60 | env: { 61 | ...process.env, 62 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:61 semgrep

Spreading entire process.env into an object — may capture all secrets 59 | cwd: workDir, 60 | stdio: ["ignore", "pipe", "pipe"], > 61 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 62 | }, 63 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

5 findings
HIGH env-spread: src/builder/access-extractor.ts:60 semgrep

Spreading entire process.env into an object — may capture all secrets 58 | const proc = spawn({ 59 | cmd: ["bun", "run", workerPath], > 60 | env: { 61 | ...process.env, 62 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:61 semgrep

Spreading entire process.env into an object — may capture all secrets 59 | cwd: workDir, 60 | stdio: ["ignore", "pipe", "pipe"], > 61 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 62 | }, 63 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

5 findings
HIGH env-spread: src/builder/access-extractor.ts:60 semgrep

Spreading entire process.env into an object — may capture all secrets 58 | const proc = spawn({ 59 | cmd: ["bun", "run", workerPath], > 60 | env: { 61 | ...process.env, 62 | ARC_ACCESS_BUNDLES: JSON.stringify(serverBundles),

HIGH env-spread: src/deploy/ansible.ts:61 semgrep

Spreading entire process.env into an object — may capture all secrets 59 | cwd: workDir, 60 | stdio: ["ignore", "pipe", "pipe"], > 61 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 62 | }, 63 | );

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:49 semgrep

Accessing SSH keys — strong indicator of credential theft 47 | // Write tfvars — NEVER put token inline in main.tf 48 | const sshPubKey = > 49 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 50 | if (!existsSync(expandHome(sshPubKey))) { 51 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.8

4 findings
HIGH env-spread: src/deploy/ansible.ts:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | stdout: "inherit", 62 | stderr: "inherit", > 63 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 64 | }); 65 | const exit = await proc.exited;

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:38 semgrep

Accessing SSH keys — strong indicator of credential theft 36 | // Write tfvars — NEVER put token inline in main.tf 37 | const sshPubKey = > 38 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 39 | if (!existsSync(expandHome(sshPubKey))) { 40 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.7

4 findings
HIGH env-spread: src/deploy/ansible.ts:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | stdout: "inherit", 62 | stderr: "inherit", > 63 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 64 | }); 65 | const exit = await proc.exited;

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:38 semgrep

Accessing SSH keys — strong indicator of credential theft 36 | // Write tfvars — NEVER put token inline in main.tf 37 | const sshPubKey = > 38 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 39 | if (!existsSync(expandHome(sshPubKey))) { 40 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.6

4 findings
HIGH env-spread: src/deploy/ansible.ts:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | stdout: "inherit", 62 | stderr: "inherit", > 63 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 64 | }); 65 | const exit = await proc.exited;

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:38 semgrep

Accessing SSH keys — strong indicator of credential theft 36 | // Write tfvars — NEVER put token inline in main.tf 37 | const sshPubKey = > 38 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 39 | if (!existsSync(expandHome(sshPubKey))) { 40 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.5

4 findings
HIGH env-spread: src/deploy/ansible.ts:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | stdout: "inherit", 62 | stderr: "inherit", > 63 | env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" }, 64 | }); 65 | const exit = await proc.exited;

HIGH ssh-key-access: src/deploy/assets.ts:84 semgrep

Accessing SSH keys — strong indicator of credential theft 82 | description = "Path to the public key uploaded to the server" 83 | type = string > 84 | default = "~/.ssh/id_ed25519.pub" 85 | } 86 | `;

HIGH ssh-key-access: src/deploy/terraform.ts:38 semgrep

Accessing SSH keys — strong indicator of credential theft 36 | // Write tfvars — NEVER put token inline in main.tf 37 | const sshPubKey = > 38 | inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub"); 39 | if (!existsSync(expandHome(sshPubKey))) { 40 | throw new Error(

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.