@bobfrankston/msger
Fast, lightweight, cross-platform message box - Rust-powered alternative to msgview
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | rapid-publish | AI (publish-pattern): Publisher releases ~2 versions/day consistently; rapid publish is the normal cadence for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped personal package with 347 versions and 3.8k downloads; sparse README/no repo URL is a style choice, not spam. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep @bobfrankston/msgcommon is under the same author namespace; low risk of supply-chain attack from same maintainer's scoped package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall selects the appropriate prebuilt native binary for the platform — standard pattern for cross-platform native tools. Stable for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Bundled binaries are the prebuilt Rust executables and Microsoft WebView2 runtime DLLs that are the core deliverable of this cross-platform native message box tool. Not backdoors. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in cruft/build.ts, a dev build script. Spreading process.env into execSync is standard build tooling practice, not a runtime exfiltration risk. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 0.1.383 | 4 / 1 | |
| 0.1.381 | 4 / 1 | |
| 0.1.366 | 3 / 1 | |
| 0.1.362 | 3 / 1 | |
| 0.1.350 | 3 / 1 | |
| 0.1.224 | 3 / 1 | |
| 0.1.222 | 3 / 1 | |
| 0.1.211 | 3 / 1 | |
| 0.1.199 | 3 / 1 | |
| 0.1.186 | 3 / 1 | |
| 0.1.183 | 3 / 1 | |
| 0.1.180 | 3 / 1 | |
| 0.1.175 | 3 / 1 | |
| 0.1.170 | 3 / 1 | |
| 0.1.167 | 3 / 1 | |
| 0.1.166 | 3 / 1 | |
| 0.1.164 | 3 / 1 | |
| 0.1.162 | 3 / 1 | |
| 0.1.161 | 3 / 1 | |
| 0.1.160 | 3 / 1 | |
| 0.1.159 | 3 / 1 | |
| 0.1.148 | 2 / 1 | |
| 0.1.32 | 0 / 1 | |
| 0.1.16 | 0 / 1 | |
| 0.1.15 | 0 / 1 | |
| 0.1.14 | 0 / 1 | |
| 0.1.12 | 0 / 1 | |
| 0.1.11 | 0 / 1 | |
| 0.1.10 | 0 / 1 | |
| 0.1.9 | 0 / 1 | |
| 0.1.8 | 0 / 1 | |
| 0.1.7 | 0 / 1 | |
| 0.1.6 | 0 / 1 | |
| 0.1.5 | 0 / 1 | |
| 0.1.4 | 0 / 1 | |
| 0.1.3 | 0 / 1 | |
| 0.1.2 | 0 / 1 | |
| 0.1.1 | 0 / 1 |
v0.1.383
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.381
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.350
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: bobfrankston.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.224
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative-1775608262285.exe • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets 84 | const binaryPath = resolveBinaryPath(); 85 | // Declare variables that will be used outside the Promise > 86 | const childEnv = { ...process.env }; 87 | if ('NODE_OPTIONS' in childEnv) { 88 | delete childEnv.NODE_OPTIONS;
Spreading entire process.env into an object — may capture all secrets 338 | const serviceOptions = { ...options, service: true, detach: false }; 339 | const binaryPath = resolveBinaryPath(); > 340 | const childEnv = { ...process.env }; 341 | if ("NODE_OPTIONS" in childEnv) 342 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.222
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative-1775603001966.exe • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets 84 | const binaryPath = resolveBinaryPath(); 85 | // Declare variables that will be used outside the Promise > 86 | const childEnv = { ...process.env }; 87 | if ('NODE_OPTIONS' in childEnv) { 88 | delete childEnv.NODE_OPTIONS;
Spreading entire process.env into an object — may capture all secrets 338 | const serviceOptions = { ...options, service: true, detach: false }; 339 | const binaryPath = resolveBinaryPath(); > 340 | const childEnv = { ...process.env }; 341 | if ("NODE_OPTIONS" in childEnv) 342 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.211
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative-1775580565098.exe • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets 84 | const binaryPath = resolveBinaryPath(); 85 | // Declare variables that will be used outside the Promise > 86 | const childEnv = { ...process.env }; 87 | if ('NODE_OPTIONS' in childEnv) { 88 | delete childEnv.NODE_OPTIONS;
Spreading entire process.env into an object — may capture all secrets 338 | const serviceOptions = { ...options, service: true, detach: false }; 339 | const binaryPath = resolveBinaryPath(); > 340 | const childEnv = { ...process.env }; 341 | if ("NODE_OPTIONS" in childEnv) 342 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.199
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets 64 | const binaryPath = path.join(import.meta.dirname, 'msger-native', 'bin', binaryName); 65 | // Declare variables that will be used outside the Promise > 66 | const childEnv = { ...process.env }; 67 | if ('NODE_OPTIONS' in childEnv) { 68 | delete childEnv.NODE_OPTIONS;
Spreading entire process.env into an object — may capture all secrets 327 | binaryName = "msgernative"; 328 | const binaryPath = path.join(import.meta.dirname, "msger-native", "bin", binaryName); > 329 | const childEnv = { ...process.env }; 330 | if ("NODE_OPTIONS" in childEnv) 331 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.186
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/774caf437c326cbe01ccdc19bad5fd3cacf37355/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/774caf437c326cbe01ccdc19bad5fd3cacf37355/shower.js#L66 64 | const binaryPath = path.join(import.meta.dirname, 'msger-native', 'bin', binaryName); 65 | // Declare variables that will be used outside the Promise > 66 | const childEnv = { ...process.env }; 67 | if ('NODE_OPTIONS' in childEnv) { 68 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.183
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/85fc6c8bc87812245e1f96e864a4d16168ca1690/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/85fc6c8bc87812245e1f96e864a4d16168ca1690/shower.js#L66 64 | const binaryPath = path.join(import.meta.dirname, 'msger-native', 'bin', binaryName); 65 | // Declare variables that will be used outside the Promise > 66 | const childEnv = { ...process.env }; 67 | if ('NODE_OPTIONS' in childEnv) { 68 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.180
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.175
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.170
5 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/c0d42afceb84b67b3c82d0b6bab1143e76b7bcb9/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/c0d42afceb84b67b3c82d0b6bab1143e76b7bcb9/shower.js#L66 64 | const binaryPath = path.join(import.meta.dirname, 'msger-native', 'bin', binaryName); 65 | // Declare variables that will be used outside the Promise > 66 | const childEnv = { ...process.env }; 67 | if ('NODE_OPTIONS' in childEnv) { 68 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.167
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/7cb640ec23a263dc02e7dc33f4552b6cc46a13f8/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/7cb640ec23a263dc02e7dc33f4552b6cc46a13f8/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/7cb640ec23a263dc02e7dc33f4552b6cc46a13f8/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.166
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/1907b5699b127b12601959ffbe065e4b1a441b0d/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/1907b5699b127b12601959ffbe065e4b1a441b0d/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/1907b5699b127b12601959ffbe065e4b1a441b0d/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.164
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/c3d6765bb9e0ee47802cda50cce83fd77e215623/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/c3d6765bb9e0ee47802cda50cce83fd77e215623/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/c3d6765bb9e0ee47802cda50cce83fd77e215623/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.162
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/ac42c0c8da080d3c832d200f8e7269e611da1522/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/ac42c0c8da080d3c832d200f8e7269e611da1522/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/ac42c0c8da080d3c832d200f8e7269e611da1522/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.161
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/6fbecf2570917a399caffad57f9b297d7aaae8b5/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/6fbecf2570917a399caffad57f9b297d7aaae8b5/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/6fbecf2570917a399caffad57f9b297d7aaae8b5/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.160
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/5165943383416a5f42a4ac1ba75470c397258a0a/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/5165943383416a5f42a4ac1ba75470c397258a0a/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/5165943383416a5f42a4ac1ba75470c397258a0a/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.159
6 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/be622e0a488e727f378505bb0fde30281d41208b/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/be622e0a488e727f378505bb0fde30281d41208b/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/be622e0a488e727f378505bb0fde30281d41208b/shower.ts#L124 122 | 123 | // Declare variables that will be used outside the Promise > 124 | const childEnv = { ...process.env } as Record<string, any>; 125 | if ('NODE_OPTIONS' in childEnv) { 126 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.148
7 findingsScript: node msger-native/builder/postinstall.js
Package contains compiled binaries that could be backdoors: • msger-native/bin/msgernative • msger-native/bin/msgernative-arm64 • msger-native/bin/msgernative-linux-aarch64 • cruft/msgernative-linux-x64 • msger-native/bin/msgernative.exe.WebView2/EBWebView/Domain Actions/3.0.0.16/domain_actions.dll • msger-native/bin/msgernative.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll • cruft/msgernative-win32-x64.exe • msger-native/bin/msgernative.exe
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/9f99edc7a64d315fbee35b63b11c3a236c16d219/cruft/build.ts#L24 22 | console.log(`\n📦 ${description}...`); 23 | try { > 24 | const env = customEnv ? { ...process.env, ...customEnv } : process.env; 25 | execSync(cmd, { stdio: 'inherit', env }); 26 | console.log(`✅ ${description} completed`);
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/9f99edc7a64d315fbee35b63b11c3a236c16d219/msger-native/builder/builder.ts#L184 182 | cwd: nativeDir, 183 | stdio: verbose ? 'inherit' : 'pipe', > 184 | env: { ...process.env, PATH: cleanPath } 185 | }); 186 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/9f99edc7a64d315fbee35b63b11c3a236c16d219/shower.js#L64 62 | const binaryPath = path.join(import.meta.dirname, 'msger-native', 'bin', binaryName); 63 | // Declare variables that will be used outside the Promise > 64 | const childEnv = { ...process.env }; 65 | if ('NODE_OPTIONS' in childEnv) { 66 | delete childEnv.NODE_OPTIONS;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/BobFrankston/msger/blob/9f99edc7a64d315fbee35b63b11c3a236c16d219/shower.ts#L120 118 | 119 | // Declare variables that will be used outside the Promise > 120 | const childEnv = { ...process.env } as Record<string, any>; 121 | if ('NODE_OPTIONS' in childEnv) { 122 | delete childEnv.NODE_OPTIONS;
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.