@chelonia/lib
Library for building Chelonia applications
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used as a named saferEval sandbox for Chelonia contract execution; intentional and documented pattern for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): In buildHelper.ts spawning tsc; standard build-tool pattern, not runtime secret exposure. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Legitimate crypto key decoding in files.ts; not obfuscation or payload hiding. | ai | |
| typosquat | typosquat.levenshtein:glob | AI (typosquat): Scoped package @chelonia/lib; no plausible typosquat of 'glob'. | ai |
v1.4.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/okTurtles/libcheloniajs/blob/02a04cef812fef36cc0dcf5d50d1e4195edae719/buildHelper.ts#L43 41 | await new Promise<void>((resolve, reject) => { 42 | const tsc = spawn('tsc', opts.tscArgs, { > 43 | env: { 44 | ...process.env, 45 | PATH: [join(__dirname, 'node_modules', '.bin'), process.env.PATH].filter(Boolean).join(':')
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.