← Home

@botonic/create-workspace

npm

Create a new workspace for Botonic bot development

3
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ahubstreericmarcoskhaeshahmrabatoraventosalbert_gomarizteam.platform

Keywords

botonicnxworkspacecreategeneratorchatbothubtype

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): env spread is used to clone and sanitize NX env vars before passing to child process, not for exfiltration. ai
semgrep semgrep:child-process-import AI (semgrep): CLI scaffolding tool legitimately uses child_process to invoke create-nx-workspace; stable pattern for this package. ai
phantom-deps phantom-dep:create-nx-workspace AI (phantom-deps): create-nx-workspace is a declared dependency used via execSync (CLI invocation), not a direct import; false positive for this package. ai

Versions (showing 3 of 3)

Version Deps Published
2.27.0 2 / 0
2.24.0 2 / 0
2.23.0 2 / 0

v2.27.0

2 findings
HIGH env-spread: bin/create-workspace.js:39 semgrep

Spreading entire process.env into an object — may capture all secrets 37 | // Build exec options - use custom registry via env var if provided (session-only, no global config changes) 38 | // Also clear NX_* env vars to avoid interference from parent workspace > 39 | const cleanEnv = { ...process.env } 40 | delete cleanEnv.NX_WORKSPACE_ROOT_PATH 41 | delete cleanEnv.NX_WORKSPACE_ROOT

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.24.0

2 findings
HIGH env-spread: bin/create-workspace.js:39 semgrep

Spreading entire process.env into an object — may capture all secrets 37 | // Build exec options - use custom registry via env var if provided (session-only, no global config changes) 38 | // Also clear NX_* env vars to avoid interference from parent workspace > 39 | const cleanEnv = { ...process.env } 40 | delete cleanEnv.NX_WORKSPACE_ROOT_PATH 41 | delete cleanEnv.NX_WORKSPACE_ROOT

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.23.0

2 findings
HIGH env-spread: bin/create-workspace.js:39 semgrep

Spreading entire process.env into an object — may capture all secrets 37 | // Build exec options - use custom registry via env var if provided (session-only, no global config changes) 38 | // Also clear NX_* env vars to avoid interference from parent workspace > 39 | const cleanEnv = { ...process.env } 40 | delete cleanEnv.NX_WORKSPACE_ROOT_PATH 41 | delete cleanEnv.NX_WORKSPACE_ROOT

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.