@dfosco/storyboard-core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:feather-icons | AI (phantom-deps): Icon library referenced in config/tooling, not directly imported — expected pattern for this UI package. | ai | |
| phantom-deps | phantom-dep:@primer/octicons | AI (phantom-deps): Icon library referenced in config/tooling, not directly imported — expected pattern for this UI package. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Iterates env to unset shell config vars from tmux environment; intentional and documented. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes image data with explicit size limit check; not obfuscation. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): POSTs to local canvas agent signal endpoint; not exfiltration. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): Used in UI bundle build; referenced in config files as expected. | ai | |
| phantom-deps | phantom-dep:iconoir | AI (phantom-deps): Icon library bundled into dist; referenced in build config, not directly imported at runtime. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Passes env to spawned terminal process; standard pattern for pty/tmux tools. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 4.2.8 | 9 / 9 | |
| 4.2.5 | 9 / 9 | |
| 4.2.4 | 9 / 9 | |
| 4.2.3 | 9 / 9 | |
| 3.8.1 | 4 / 14 | |
| 3.7.0 | 4 / 14 | |
| 3.3.2 | 4 / 14 | |
| 3.3.1 | 4 / 14 | |
| 3.3.0 | 4 / 14 | |
| 3.1.2 | 10 / 4 | |
| 1.8.0 | 0 / 0 | |
| 1.7.1 | 0 / 0 | |
| 1.7.0 | 0 / 0 | |
| 1.6.0 | 0 / 0 | |
| 1.5.0 | 0 / 0 | |
| 1.1.0 | 0 / 0 |
v4.2.8
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/1478fb88dd080e5c4edfc0864cb7bb8789f0f870/src/canvas/terminal-server.js#L652 650 | rows: 24, 651 | cwd: process.cwd(), > 652 | env: { ...process.env, TERM: 'xterm-256color' }, 653 | }) 654 | } catch (err) {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/1478fb88dd080e5c4edfc0864cb7bb8789f0f870/src/cli/create.js#L109 107 | 108 | const child = spawn('npx', ['vite', '--port', String(port)], { > 109 | env: { ...process.env, VITE_BASE_PATH: basePath }, 110 | stdio: ['ignore', 'pipe', 'pipe'], 111 | detached: true,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/1478fb88dd080e5c4edfc0864cb7bb8789f0f870/src/cli/terminal-welcome.js#L66 64 | .filter(p => !p.endsWith('.storyboard/terminals/bin')) 65 | .join(':') > 66 | return { ...process.env, PATH: cleanPath } 67 | } 68 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/1478fb88dd080e5c4edfc0864cb7bb8789f0f870/src/server/index.js#L134 132 | ? spawn(localVite, viteArgs, { 133 | cwd, > 134 | env: { ...process.env, VITE_BASE_PATH: basePath }, 135 | stdio: ['ignore', 'pipe', 'pipe'], 136 | })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/1478fb88dd080e5c4edfc0864cb7bb8789f0f870/src/server/index.js#L139 137 | : spawn('npx', ['vite', ...viteArgs], { 138 | cwd, > 139 | env: { ...process.env, VITE_BASE_PATH: basePath }, 140 | stdio: ['ignore', 'pipe', 'pipe'], 141 | })
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.5
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/6ec4a1f6700f778d9623cb48c1fcb3646bfbf403/src/canvas/terminal-server.js#L652 650 | rows: 24, 651 | cwd: process.cwd(), > 652 | env: { ...process.env, TERM: 'xterm-256color' }, 653 | }) 654 | } catch (err) {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/6ec4a1f6700f778d9623cb48c1fcb3646bfbf403/src/cli/create.js#L109 107 | 108 | const child = spawn('npx', ['vite', '--port', String(port)], { > 109 | env: { ...process.env, VITE_BASE_PATH: basePath }, 110 | stdio: ['ignore', 'pipe', 'pipe'], 111 | detached: true,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/6ec4a1f6700f778d9623cb48c1fcb3646bfbf403/src/cli/terminal-welcome.js#L66 64 | .filter(p => !p.endsWith('.storyboard/terminals/bin')) 65 | .join(':') > 66 | return { ...process.env, PATH: cleanPath } 67 | } 68 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/6ec4a1f6700f778d9623cb48c1fcb3646bfbf403/src/server/index.js#L134 132 | ? spawn(localVite, viteArgs, { 133 | cwd, > 134 | env: { ...process.env, VITE_BASE_PATH: basePath }, 135 | stdio: ['ignore', 'pipe', 'pipe'], 136 | })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/6ec4a1f6700f778d9623cb48c1fcb3646bfbf403/src/server/index.js#L139 137 | : spawn('npx', ['vite', ...viteArgs], { 138 | cwd, > 139 | env: { ...process.env, VITE_BASE_PATH: basePath }, 140 | stdio: ['ignore', 'pipe', 'pipe'], 141 | })
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.4
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/c7e908ba5436af6f81c46319e9e6c1c3462bf76f/src/canvas/terminal-server.js#L652 650 | rows: 24, 651 | cwd: process.cwd(), > 652 | env: { ...process.env, TERM: 'xterm-256color' }, 653 | }) 654 | } catch (err) {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/c7e908ba5436af6f81c46319e9e6c1c3462bf76f/src/cli/create.js#L109 107 | 108 | const child = spawn('npx', ['vite', '--port', String(port)], { > 109 | env: { ...process.env, VITE_BASE_PATH: basePath }, 110 | stdio: ['ignore', 'pipe', 'pipe'], 111 | detached: true,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/c7e908ba5436af6f81c46319e9e6c1c3462bf76f/src/cli/terminal-welcome.js#L66 64 | .filter(p => !p.endsWith('.storyboard/terminals/bin')) 65 | .join(':') > 66 | return { ...process.env, PATH: cleanPath } 67 | } 68 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/c7e908ba5436af6f81c46319e9e6c1c3462bf76f/src/server/index.js#L134 132 | ? spawn(localVite, viteArgs, { 133 | cwd, > 134 | env: { ...process.env, VITE_BASE_PATH: basePath }, 135 | stdio: ['ignore', 'pipe', 'pipe'], 136 | })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/c7e908ba5436af6f81c46319e9e6c1c3462bf76f/src/server/index.js#L139 137 | : spawn('npx', ['vite', ...viteArgs], { 138 | cwd, > 139 | env: { ...process.env, VITE_BASE_PATH: basePath }, 140 | stdio: ['ignore', 'pipe', 'pipe'], 141 | })
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.3
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/a426ff6f61ee4004137582c3c4f70dade5d8b1d4/src/canvas/terminal-server.js#L652 650 | rows: 24, 651 | cwd: process.cwd(), > 652 | env: { ...process.env, TERM: 'xterm-256color' }, 653 | }) 654 | } catch (err) {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/a426ff6f61ee4004137582c3c4f70dade5d8b1d4/src/cli/create.js#L109 107 | 108 | const child = spawn('npx', ['vite', '--port', String(port)], { > 109 | env: { ...process.env, VITE_BASE_PATH: basePath }, 110 | stdio: ['ignore', 'pipe', 'pipe'], 111 | detached: true,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/a426ff6f61ee4004137582c3c4f70dade5d8b1d4/src/cli/terminal-welcome.js#L66 64 | .filter(p => !p.endsWith('.storyboard/terminals/bin')) 65 | .join(':') > 66 | return { ...process.env, PATH: cleanPath } 67 | } 68 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/a426ff6f61ee4004137582c3c4f70dade5d8b1d4/src/server/index.js#L134 132 | ? spawn(localVite, viteArgs, { 133 | cwd, > 134 | env: { ...process.env, VITE_BASE_PATH: basePath }, 135 | stdio: ['ignore', 'pipe', 'pipe'], 136 | })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dfosco/storyboard/blob/a426ff6f61ee4004137582c3c4f70dade5d8b1d4/src/server/index.js#L139 137 | : spawn('npx', ['vite', ...viteArgs], { 138 | cwd, > 139 | env: { ...process.env, VITE_BASE_PATH: basePath }, 140 | stdio: ['ignore', 'pipe', 'pipe'], 141 | })
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.