← Home

@codemation/next-host

npm Repository Homepage

The **production Next.js host** for Codemation: App Router app, UI features (workflows, credentials, users), and server wiring that delegates to `@codemation/host`. Published packages ship a prebuilt standalone runtime for consumer apps, while framework a

2
Versions
SEE LICENSE IN LICENSE
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

cblokland

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Spreading process.env to add a single override before passing to child process; standard pattern. ai
phantom-deps phantom-dep:prisma AI (phantom-deps): Prisma is a CLI tool invoked at build/migrate time, not directly imported. ai
phantom-deps phantom-dep:shadcn AI (phantom-deps): shadcn is a CLI code-generation tool, not directly imported. ai
phantom-deps phantom-dep:monaco-editor AI (phantom-deps): monaco-editor is consumed via @monaco-editor/react wrapper; peer dep pattern. ai
phantom-deps phantom-dep:tw-animate-css AI (phantom-deps): CSS-only package referenced in config, not JS-imported. ai

Versions (showing 2 of 2)

Version Deps Published
0.0.2 32 / 15
0.0.1 32 / 15

v0.0.2

2 findings
HIGH env-spread: src/server/CodemationNextHost.ts:189 semgrep

Spreading entire process.env into an object — may capture all secrets 187 | const resolvedConsumerApp = await this.loadBuiltConsumerApp(buildManifest.entryPath); 188 | const whitelabelSnapshot = CodemationWhitelabelSnapshotFactory.fromConsumerConfig(resolvedConsumerApp.config); > 189 | const env = { ...process.env }; 190 | if (prismaCliOverride) { 191 | env.CODEMATION_PRISMA_CLI_PATH = prismaCliOverride;

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

2 findings
HIGH env-spread: src/server/CodemationNextHost.ts:189 semgrep

Spreading entire process.env into an object — may capture all secrets 187 | const resolvedConsumerApp = await this.loadBuiltConsumerApp(buildManifest.entryPath); 188 | const whitelabelSnapshot = CodemationWhitelabelSnapshotFactory.fromConsumerConfig(resolvedConsumerApp.config); > 189 | const env = { ...process.env }; 190 | if (prismaCliOverride) { 191 | env.CODEMATION_PRISMA_CLI_PATH = prismaCliOverride;

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.