@asynkron/faktorial
Faktorial delivery factory CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): CLI launcher passing process.env to child process is standard; not exfiltrating secrets. | ai |
v0.1.3
2 findingsSpreading entire process.env into an object — may capture all secrets 67 | const child = spawnSync(binary, process.argv.slice(2), { 68 | stdio: "inherit", > 69 | env: { 70 | ...process.env, 71 | FAKTORIAL_PACKAGE_ROOT: __dirname ? path.dirname(__dirname) : process.cwd(),
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
2 findingsSpreading entire process.env into an object — may capture all secrets 67 | const child = spawnSync(binary, process.argv.slice(2), { 68 | stdio: "inherit", > 69 | env: { 70 | ...process.env, 71 | FAKTORIAL_PACKAGE_ROOT: __dirname ? path.dirname(__dirname) : process.cwd(),
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsSpreading entire process.env into an object — may capture all secrets 67 | const child = spawnSync(binary, process.argv.slice(2), { 68 | stdio: "inherit", > 69 | env: { 70 | ...process.env, 71 | FAKTORIAL_PACKAGE_ROOT: __dirname ? path.dirname(__dirname) : process.cwd(),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.