@cluesurf/task
<br/> <br/> <br/> <br/> <br/> <br/> <br/>
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.6.2 | 134 / 29 |
v0.6.2
6 findingsSpreading entire process.env into an object — may capture all secrets 42 | break; 43 | } > 44 | const env = { ...process.env }; 45 | if (input.password) 46 | env.BORG_PASSPHRASE = input.password;
Spreading entire process.env into an object — may capture all secrets 41 | break; 42 | } > 43 | const env = { ...process.env }; 44 | if (input.password) 45 | env.KOPIA_PASSWORD = input.password;
Spreading entire process.env into an object — may capture all secrets 45 | break; 46 | } > 47 | const env = { ...process.env }; 48 | if (input.password) 49 | env.RESTIC_PASSWORD = input.password;
Spreading entire process.env into an object — may capture all secrets 25 | } 26 | await new Promise((resolve, reject) => { > 27 | const env = cmd.env ? { ...process.env, ...cmd.env } : process.env; 28 | const child = (0, node_child_process_1.spawn)(cmd.bin, cmd.args, { env, stdio: 'inherit' }); 29 | child.on('error', err => reject(makeErr(cmd, err)));
Spreading entire process.env into an object — may capture all secrets 33 | function execDb(cmd) { 34 | return new Promise((resolve, reject) => { > 35 | const env = cmd.env ? { ...process.env, ...cmd.env } : process.env; 36 | const stdin = cmd.pipeFrom ? node_fs_1.default.createReadStream(cmd.pipeFrom) : 'inherit'; 37 | const stdout = cmd.captureTo ? node_fs_1.default.createWriteStream(cmd.captureTo) : 'inherit';
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.