@cleocode/core
CLEO core business logic kernel — tasks, sessions, memory, orchestration, lifecycle, with bundled SQLite store
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Named script file shipped in package files; consistent with prebuilt binary fetch for a native supervisor component. | ai | |
| phantom-deps | phantom-dep:@cleocode/agents | AI (phantom-deps): Same-org scoped package in a monorepo; phantom dep pattern is consistent with the other accepted @cleocode phantom deps in this package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Fires on 127.0.0.1 in a unit test for HTTP gate validation — localhost address in test code, not a real network exfiltration endpoint. | ai | |
| phantom-deps | phantom-dep:tree-sitter-c | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports — phantom-dep detection is a known false positive for this pattern. | ai | |
| phantom-deps | phantom-dep:tree-sitter-cpp | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-go | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-java | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-javascript | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Fires on test files using hardcoded zero-byte test vectors — standard unit test pattern for crypto KDF testing, not a malicious payload. | ai | |
| phantom-deps | phantom-dep:pino-roll | AI (phantom-deps): pino-roll is a pino transport loaded by name in config rather than via direct import — standard pino transport pattern. | ai | |
| phantom-deps | phantom-dep:@cleocode/skills | AI (phantom-deps): Same-org package likely loaded dynamically or referenced indirectly; phantom-dep false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@cleocode/adapters | AI (phantom-deps): Same-org package likely loaded dynamically or referenced indirectly; phantom-dep false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:tree-sitter-python | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-ruby | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-rust | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| phantom-deps | phantom-dep:tree-sitter-typescript | AI (phantom-deps): Tree-sitter language grammars are loaded dynamically via config, not direct imports. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @cleocode/core is a scoped package in the @cleocode org ecosystem, not a typosquat of 'cors'. The name reflects its role as the core library; no impersonation intent. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread occurs in test files passing process.env to child git processes with specific overrides — standard test pattern, not credential exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is used in a standard AES-GCM decryption function in credentials.ts — legitimate cryptographic code, not obfuscated payload. | ai |
Versions (showing 51 of 108)
| Version | Deps | Published |
|---|---|---|
| 2026.6.8 | 46 / 5 | |
| 2026.4.74 | 35 / 3 | |
| 2026.4.73 | 35 / 3 | |
| 2026.4.72 | 35 / 3 | |
| 2026.4.70 | 35 / 3 | |
| 2026.4.69 | 35 / 3 | |
| 2026.4.68 | 35 / 3 | |
| 2026.4.67 | 35 / 3 | |
| 2026.4.66 | 35 / 3 | |
| 2026.4.65 | 35 / 3 | |
| 2026.4.64 | 35 / 3 | |
| 2026.4.63 | 35 / 3 | |
| 2026.4.62 | 32 / 3 | |
| 2026.4.60 | 32 / 3 | |
| 2026.4.59 | 32 / 3 | |
| 2026.4.58 | 32 / 3 | |
| 2026.4.57 | 32 / 3 | |
| 2026.4.56 | 32 / 3 | |
| 2026.4.55 | 32 / 3 | |
| 2026.4.54 | 32 / 3 | |
| 2026.4.53 | 32 / 3 | |
| 2026.4.52 | 32 / 3 | |
| 2026.4.51 | 32 / 3 | |
| 2026.4.50 | 32 / 3 | |
| 2026.4.49 | 32 / 3 | |
| 2026.4.48 | 32 / 3 | |
| 2026.4.47 | 32 / 3 | |
| 2026.4.46 | 32 / 3 | |
| 2026.4.45 | 32 / 3 | |
| 2026.4.44 | 32 / 3 | |
| 2026.4.43 | 32 / 3 | |
| 2026.4.42 | 32 / 3 | |
| 2026.4.41 | 32 / 3 | |
| 2026.4.40 | 32 / 3 | |
| 2026.4.39 | 32 / 3 | |
| 2026.4.38 | 32 / 3 | |
| 2026.4.37 | 32 / 3 | |
| 2026.4.36 | 32 / 3 | |
| 2026.4.35 | 31 / 3 | |
| 2026.4.31 | 31 / 3 | |
| 2026.4.30 | 19 / 3 | |
| 2026.4.29 | 19 / 3 | |
| 2026.4.28 | 19 / 3 | |
| 2026.4.27 | 19 / 3 | |
| 2026.4.26 | 19 / 3 | |
| 2026.4.25 | 19 / 3 | |
| 2026.4.24 | 19 / 3 | |
| 2026.4.23 | 19 / 3 | |
| 2026.4.22 | 19 / 3 | |
| 2026.4.21 | 19 / 3 | |
| 2026.4.20 | 19 / 3 |
v2026.6.8
2 findingsScript: node scripts/install-supervisor-binary.mjs
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.74
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.73
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.72
14 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Spreading entire process.env into an object — may capture all secrets 163 | const out = await execFileAsync(bin!, args, { 164 | cwd, > 165 | env: { ...process.env, ...gate.env }, 166 | timeout: timeoutMs, 167 | });
Spreading entire process.env into an object — may capture all secrets 417 | const out = await execFileAsync(gate.cmd, gate.args ?? [], { 418 | cwd, > 419 | env: { ...process.env, ...gate.env }, 420 | timeout: timeoutMs, 421 | });
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.70
14 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Spreading entire process.env into an object — may capture all secrets 162 | const out = await execFileAsync(bin!, args, { 163 | cwd, > 164 | env: { ...process.env, ...gate.env }, 165 | timeout: timeoutMs, 166 | });
Spreading entire process.env into an object — may capture all secrets 361 | const out = await execFileAsync(gate.cmd, gate.args ?? [], { 362 | cwd, > 363 | env: { ...process.env, ...gate.env }, 364 | timeout: timeoutMs, 365 | });
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.69
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.68
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.67
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.66
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.65
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.64
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.63
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.62
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths — skill-paths module', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.60
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.59
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.58
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.57
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 79 | 80 | describe('shouldCheckpoint', () => { > 81 | const originalEnv = { ...process.env }; 82 | 83 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.56
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.55
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.54
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.53
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 737 | } 738 | > 739 | const gitEnv: NodeJS.ProcessEnv = { 740 | ...process.env, 741 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.52
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.51
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.50
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.49
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.48
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.47
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.46
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.45
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.44
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.43
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 75 | 76 | describe('shouldCheckpoint', () => { > 77 | const originalEnv = { ...process.env }; 78 | 79 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.42
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.41
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.40
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.39
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.38
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.37
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.36
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.35
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.4.31
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.30
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.29
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.28
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.27
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.26
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.25
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.24
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.23
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.22
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.21
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.20
12 findingsPackage name '@cleocode/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets 35 | execFileSync('git', ['init'], { 36 | cwd: cleoDir, > 37 | env: { 38 | ...process.env, 39 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 45 | execFileSync('git', ['config', 'user.email', '[email protected]'], { 46 | cwd: cleoDir, > 47 | env: { 48 | ...process.env, 49 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 53 | execFileSync('git', ['config', 'user.name', 'Test'], { 54 | cwd: cleoDir, > 55 | env: { 56 | ...process.env, 57 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 64 | execFileSync('git', ['add', 'config.json'], { 65 | cwd: cleoDir, > 66 | env: { 67 | ...process.env, 68 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 72 | execFileSync('git', ['commit', '-m', 'init', '--no-verify'], { 73 | cwd: cleoDir, > 74 | env: { 75 | ...process.env, 76 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 144 | // Modify a file and commit 145 | await writeFile(join(cleoDir, 'config.json'), '{"version":"2.11.0"}'); > 146 | const gitEnv = { 147 | ...process.env, 148 | GIT_DIR: join(cleoDir, '.git'),
Spreading entire process.env into an object — may capture all secrets 736 | } 737 | > 738 | const gitEnv: NodeJS.ProcessEnv = { 739 | ...process.env, 740 | GIT_DIR: cleoGitDir,
Spreading entire process.env into an object — may capture all secrets 23 | 24 | describe('getSkillSearchPaths', () => { > 25 | const originalEnv = { ...process.env }; 26 | 27 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 76 | 77 | describe('shouldCheckpoint', () => { > 78 | const originalEnv = { ...process.env }; 79 | 80 | beforeEach(() => {
Spreading entire process.env into an object — may capture all secrets 30 | // is a relative path (e.g. '.cleo' returned by getCleoDir() with no cwd arg) 31 | const abs = resolve(cleoDir); > 32 | return { 33 | ...process.env, 34 | GIT_DIR: join(abs, '.git'),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.