← Home

@clerk/dev-cli

npm Repository Homepage

CLI tool designed to simplify the process of iterating on packages within the clerk/javascript repository

2
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

colinclerkbradenclerknikosdouvlischanioxarisjescalandominic-clerkmwickett

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): This is a developer CLI tool that spawns subprocesses (e.g., $VISUAL editor). Passing process.env to spawn() is standard and correct behavior for CLI tools — not credential exfiltration. Stable false positive for this package. ai

Versions (showing 2 of 2)

Version Deps Published
0.1.0 5 / 0
0.0.12 5 / 0

v0.1.0

9 findings
HIGH env-spread: src/commands/config.js:13 semgrep

Spreading entire process.env into an object — may capture all secrets 11 | spawn(process.env.VISUAL, [CONFIG_FILE], { 12 | stdio: 'inherit', > 13 | env: { 14 | ...process.env, 15 | },

HIGH env-spread: src/commands/config.js:20 semgrep

Spreading entire process.env into an object — may capture all secrets 18 | spawn(process.env.EDITOR, [CONFIG_FILE], { 19 | stdio: 'inherit', > 20 | env: { 21 | ...process.env, 22 | },

HIGH env-spread: src/commands/init.js:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | spawn(process.env.VISUAL, [CONFIG_FILE], { 43 | stdio: 'inherit', > 44 | env: { 45 | ...process.env, 46 | },

HIGH env-spread: src/commands/init.js:52 semgrep

Spreading entire process.env into an object — may capture all secrets 50 | spawn(process.env.EDITOR, [CONFIG_FILE], { 51 | stdio: 'inherit', > 52 | env: { 53 | ...process.env, 54 | },

HIGH env-spread: src/commands/setup.js:180 semgrep

Spreading entire process.env into an object — may capture all secrets 178 | const child = spawn('pnpm', ['import'], { 179 | stdio: 'inherit', > 180 | env: { 181 | ...process.env, 182 | },

HIGH env-spread: src/commands/setup.js:215 semgrep

Spreading entire process.env into an object — may capture all secrets 213 | const child = spawn('pnpm', args, { 214 | stdio: 'inherit', > 215 | env: { 216 | ...process.env, 217 | },

HIGH env-spread: src/commands/watch.js:37 semgrep

Spreading entire process.env into an object — may capture all secrets 35 | command: 'turbo run dev --filter=@clerk/clerk-js -- --env devOrigin=http://localhost:4000', 36 | cwd, > 37 | env: { TURBO_UI: '0', ...process.env }, 38 | }; 39 |

HIGH env-spread: src/commands/watch.js:45 semgrep

Spreading entire process.env into an object — may capture all secrets 43 | command: `turbo ${args.join(' ')}`, 44 | cwd, > 45 | env: { TURBO_UI: '0', ...process.env }, 46 | }; 47 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.