← Home

@eminent337/aery

npm Repository Homepage

Aery — AI coding agent by Aryee

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

eminent337

Keywords

coding-agentaillmclituiagent

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Passes process.env to a subprocess in an examples/extensions file; standard and expected pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used in examples/doom-overlay to bootstrap the DOOM JS engine module; expected pattern for this use case. ai
semgrep semgrep:base64-decode AI (semgrep): Decodes base64 image data to write a file in examples/antigravity-image-gen; benign image generation utility. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 localhost OAuth redirect URI in an example GitLab Duo provider; not a remote exfiltration endpoint. ai
semgrep semgrep:steganography-image-eval AI (semgrep): Fires on examples/doom-overlay reading a WAD game data file, not a steganography attack. ai
phantom-deps phantom-dep:marked AI (phantom-deps): marked is declared as a runtime dep and likely used indirectly via config/bundled code; stable false positive. ai
phantom-deps phantom-dep:duck-duck-scrape AI (phantom-deps): duck-duck-scrape is a declared dep used by AI agent search features; phantom-dep heuristic false positive. ai
semgrep semgrep:child-process-import AI (semgrep): Used in examples/notify.ts to send Windows toast notifications via powershell; expected system integration pattern. ai

Versions (showing 100 of 100)

Version Deps Published
0.74.2 16 / 8
0.74.1 16 / 8
0.1.147 17 / 11
0.1.142 16 / 8
0.1.141 16 / 8
0.1.119 16 / 8
0.1.117 16 / 8
0.1.116 16 / 8
0.1.115 22 / 8
0.1.114 22 / 8
0.1.113 22 / 8
0.1.112 22 / 8
0.1.111 22 / 8
0.1.110 22 / 8
0.1.109 22 / 8
0.1.108 22 / 8
0.1.107 22 / 8
0.1.106 22 / 8
0.1.105 22 / 8
0.1.104 22 / 8
0.1.103 22 / 8
0.1.102 22 / 8
0.1.101 22 / 8
0.1.100 22 / 8
0.1.99 22 / 8
0.1.98 22 / 8
0.1.97 22 / 8
0.1.96 22 / 8
0.1.95 22 / 8
0.1.94 22 / 8
0.1.93 22 / 8
0.1.92 22 / 8
0.1.91 22 / 8
0.1.90 22 / 8
0.1.89 22 / 8
0.1.88 22 / 8
0.1.87 22 / 8
0.1.86 22 / 8
0.1.85 22 / 8
0.1.84 22 / 8
0.1.83 22 / 8
0.1.82 22 / 8
0.1.81 22 / 8
0.1.80 22 / 8
0.1.79 22 / 8
0.1.78 22 / 8
0.1.77 22 / 8
0.1.76 22 / 8
0.1.75 22 / 8
0.1.74 22 / 8
0.1.73 22 / 8
0.1.72 22 / 8
0.1.71 22 / 8
0.1.70 22 / 8
0.1.69 22 / 8
0.1.68 22 / 8
0.1.67 22 / 8
0.1.63 22 / 8
0.1.62 22 / 8
0.1.61 22 / 8
0.1.60 22 / 8
0.1.57 23 / 8
0.1.56 23 / 8
0.1.55 23 / 8
0.1.54 23 / 8
0.1.53 23 / 8
0.1.44 23 / 8
0.1.43 23 / 8
0.1.42 23 / 8
0.1.41 23 / 8
0.1.40 23 / 8
0.1.39 23 / 8
0.1.38 22 / 8
0.1.37 22 / 8
0.1.36 22 / 8
0.1.35 22 / 8
0.1.34 22 / 8
0.1.33 22 / 8
0.1.32 22 / 8
0.1.31 22 / 8
0.1.30 22 / 8
0.1.29 22 / 8
0.1.28 22 / 8
0.1.27 22 / 8
0.1.26 22 / 8
0.1.25 22 / 8
0.1.24 22 / 8
0.1.23 22 / 8
0.1.22 22 / 8
0.1.21 22 / 8
0.1.20 22 / 8
0.1.19 22 / 8
0.1.18 22 / 8
0.1.17 22 / 8
0.1.16 22 / 8
0.1.15 22 / 8
0.1.14 22 / 8
0.1.13 19 / 8
0.1.12 22 / 8
0.1.10 22 / 8

v0.74.2

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/676a1533ad586e16ab25afacb42b9a65a02d68aa/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/676a1533ad586e16ab25afacb42b9a65a02d68aa/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/676a1533ad586e16ab25afacb42b9a65a02d68aa/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.74.1

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/615d8d1bd47e4805626f23a3413a5f37686ae6f9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/615d8d1bd47e4805626f23a3413a5f37686ae6f9/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/615d8d1bd47e4805626f23a3413a5f37686ae6f9/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.147

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/0d70521e4f81baa9c633eb21cfa33a1a1cf25500/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0d70521e4f81baa9c633eb21cfa33a1a1cf25500/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0d70521e4f81baa9c633eb21cfa33a1a1cf25500/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.142

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/7acbd369df9c50af8e721d4576e9c345117948e9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/7acbd369df9c50af8e721d4576e9c345117948e9/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/7acbd369df9c50af8e721d4576e9c345117948e9/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.141

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/86f4cb7347ea296e20eed72811f457a070453fff/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/86f4cb7347ea296e20eed72811f457a070453fff/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/86f4cb7347ea296e20eed72811f457a070453fff/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.119

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/967aee5a7c66100a229a21b5046ae5c40afc57ff/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/967aee5a7c66100a229a21b5046ae5c40afc57ff/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/967aee5a7c66100a229a21b5046ae5c40afc57ff/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.117

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/270fe47c73f79233b963917b594ecc2420c66dea/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/270fe47c73f79233b963917b594ecc2420c66dea/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/270fe47c73f79233b963917b594ecc2420c66dea/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.116

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/83ad893a21df82b1839722d723530d5cfb0226c5/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/83ad893a21df82b1839722d723530d5cfb0226c5/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/83ad893a21df82b1839722d723530d5cfb0226c5/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.115

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4f161ea384c8f75fab998d3aaec2b7abea4f3af7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4f161ea384c8f75fab998d3aaec2b7abea4f3af7/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4f161ea384c8f75fab998d3aaec2b7abea4f3af7/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.114

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/b39d9634ccb6b4f4034e0cdfe41e55fa230e2b81/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/b39d9634ccb6b4f4034e0cdfe41e55fa230e2b81/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/b39d9634ccb6b4f4034e0cdfe41e55fa230e2b81/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.113

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/75b15d6b32f457e111fcc80a701085577a9c7fd4/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/75b15d6b32f457e111fcc80a701085577a9c7fd4/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/75b15d6b32f457e111fcc80a701085577a9c7fd4/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.112

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/3a9e3132d60ea8c3c926f48dada2628232b591ba/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/3a9e3132d60ea8c3c926f48dada2628232b591ba/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/3a9e3132d60ea8c3c926f48dada2628232b591ba/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.111

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/e73cf67c0db357cb399ff95a818b7718fdb64f20/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e73cf67c0db357cb399ff95a818b7718fdb64f20/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e73cf67c0db357cb399ff95a818b7718fdb64f20/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.110

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/52e1fd331d36229883dfdcc9a017b32eb2f04d3e/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/52e1fd331d36229883dfdcc9a017b32eb2f04d3e/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/52e1fd331d36229883dfdcc9a017b32eb2f04d3e/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.109

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/0a824f9eafe4d93c64d6a63bb67edf26bd912fe2/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0a824f9eafe4d93c64d6a63bb67edf26bd912fe2/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0a824f9eafe4d93c64d6a63bb67edf26bd912fe2/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.108

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/326db1ad21e6c89be5607e59d554f42b56250609/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/326db1ad21e6c89be5607e59d554f42b56250609/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/326db1ad21e6c89be5607e59d554f42b56250609/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.107

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/801ac3af5e0c5e725138566f9e9a1ba5f7883547/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/801ac3af5e0c5e725138566f9e9a1ba5f7883547/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/801ac3af5e0c5e725138566f9e9a1ba5f7883547/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.106

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/e20e7bfb546c404ebb088879b8c2531d51ccf045/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e20e7bfb546c404ebb088879b8c2531d51ccf045/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e20e7bfb546c404ebb088879b8c2531d51ccf045/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.105

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/59a923862d601a527cd1a0ac90f792f08a6a08c3/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/59a923862d601a527cd1a0ac90f792f08a6a08c3/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/59a923862d601a527cd1a0ac90f792f08a6a08c3/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.104

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/ea8c18131548cb18860b7bc889adbc6b29001a31/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/ea8c18131548cb18860b7bc889adbc6b29001a31/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/ea8c18131548cb18860b7bc889adbc6b29001a31/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.103

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/9a1d8d4e766f588fa814503e3441d6a554aa321b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/9a1d8d4e766f588fa814503e3441d6a554aa321b/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/9a1d8d4e766f588fa814503e3441d6a554aa321b/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.102

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4f32aaec49a2fe56b6160e25c5993cf9fba19861/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4f32aaec49a2fe56b6160e25c5993cf9fba19861/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4f32aaec49a2fe56b6160e25c5993cf9fba19861/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.101

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/a12c004e4356c01c4a58897963a0b2cebaa96789/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/a12c004e4356c01c4a58897963a0b2cebaa96789/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/a12c004e4356c01c4a58897963a0b2cebaa96789/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.100

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/e69c795bd7476a2f6c0be19f1d79f8910e38da6f/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e69c795bd7476a2f6c0be19f1d79f8910e38da6f/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e69c795bd7476a2f6c0be19f1d79f8910e38da6f/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.99

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/157e0381b6d1b747e08ab751bb0ee85e3f2996ab/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/157e0381b6d1b747e08ab751bb0ee85e3f2996ab/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/157e0381b6d1b747e08ab751bb0ee85e3f2996ab/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.98

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/7eb94c6757831b62beadb116e920d1b391fda5b9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/7eb94c6757831b62beadb116e920d1b391fda5b9/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/7eb94c6757831b62beadb116e920d1b391fda5b9/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.97

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/6ebdc4ad6277cc336e5539a02d8d918a8f699ba6/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/6ebdc4ad6277cc336e5539a02d8d918a8f699ba6/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/6ebdc4ad6277cc336e5539a02d8d918a8f699ba6/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.96

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/fce8ab47baab21aa9bfcd729c93c8cde92a80820/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/fce8ab47baab21aa9bfcd729c93c8cde92a80820/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/fce8ab47baab21aa9bfcd729c93c8cde92a80820/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.95

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/069d18a06952d24d4d519385b764a920d4eec0a7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/069d18a06952d24d4d519385b764a920d4eec0a7/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/069d18a06952d24d4d519385b764a920d4eec0a7/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.94

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/fc7ef3084c665831c048ea4ad1b8dabe17ea2435/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/fc7ef3084c665831c048ea4ad1b8dabe17ea2435/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/fc7ef3084c665831c048ea4ad1b8dabe17ea2435/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.93

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/0fb96250e6a924563c0fbef6d363f630f6a68398/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0fb96250e6a924563c0fbef6d363f630f6a68398/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/0fb96250e6a924563c0fbef6d363f630f6a68398/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.92

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/976730c08ac02057e20d2dc6fce6374f8fcd3014/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/976730c08ac02057e20d2dc6fce6374f8fcd3014/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/976730c08ac02057e20d2dc6fce6374f8fcd3014/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.91

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/a80b326bd1c0f1bceac50dc30889c7348caae630/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/a80b326bd1c0f1bceac50dc30889c7348caae630/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/a80b326bd1c0f1bceac50dc30889c7348caae630/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.90

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/e04acc83fdf544882aa3a4df011c3ea0f81bbe63/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e04acc83fdf544882aa3a4df011c3ea0f81bbe63/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/e04acc83fdf544882aa3a4df011c3ea0f81bbe63/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.89

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4a1b3069909717e13c2b6aab0e880ff3b6c02c74/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4a1b3069909717e13c2b6aab0e880ff3b6c02c74/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/4a1b3069909717e13c2b6aab0e880ff3b6c02c74/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.88

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/5ae6218aa3398ee80898386523042d40d53772a9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/5ae6218aa3398ee80898386523042d40d53772a9/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/5ae6218aa3398ee80898386523042d40d53772a9/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.87

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/41bec1b8237256fe8caf974ef6d5c043e2d10a9d/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/41bec1b8237256fe8caf974ef6d5c043e2d10a9d/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/41bec1b8237256fe8caf974ef6d5c043e2d10a9d/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.86

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/47b49f838edcace8a0a9dd8d0d737b4a93da3ebd/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/47b49f838edcace8a0a9dd8d0d737b4a93da3ebd/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/47b49f838edcace8a0a9dd8d0d737b4a93da3ebd/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.85

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8efb630a044d2bdd60bca9fb7bb414dd549c273f/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/8efb630a044d2bdd60bca9fb7bb414dd549c273f/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/8efb630a044d2bdd60bca9fb7bb414dd549c273f/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.84

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/5f88866aefaaf349223dea5b4765f680e8ee5412/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/5f88866aefaaf349223dea5b4765f680e8ee5412/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/5f88866aefaaf349223dea5b4765f680e8ee5412/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.83

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/2633a3203e7cf2fc9171331f63c77b62b53395a9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/2633a3203e7cf2fc9171331f63c77b62b53395a9/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/2633a3203e7cf2fc9171331f63c77b62b53395a9/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.82

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8262277f00116a61ad342eeb84032e8da83f5fbb/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/8262277f00116a61ad342eeb84032e8da83f5fbb/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/8262277f00116a61ad342eeb84032e8da83f5fbb/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.81

4 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/3f4b415a9f55d2f9f3b161d0d281452fcee82ffc/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

HIGH env-spread: examples/extensions/stitch.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/3f4b415a9f55d2f9f3b161d0d281452fcee82ffc/examples/extensions/stitch.ts#L39 37 | ["@_davideast/stitch-mcp", "tool", toolName, "-d", JSON.stringify(data)], 38 | { > 39 | env: { ...process.env }, 40 | timeout: 30000, 41 | },

HIGH env-spread: examples/extensions/stitch.ts:137 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eminent337/aery/blob/3f4b415a9f55d2f9f3b161d0d281452fcee82ffc/examples/extensions/stitch.ts#L137 135 | // Run stitch-mcp init in a visible subprocess 136 | await execFileAsync("npx", ["@_davideast/stitch-mcp", "init"], { > 137 | env: { ...process.env }, 138 | timeout: 120000, 139 | stdio: "inherit",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.80

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8127ccd4c7b14322eaf202d3295ceb847b8a02ec/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.79

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8c2688484bb323107bb017c4897f847cb8cdf474/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.78

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/9223d39e3c67706cbe622babbdab1df3d4067bfa/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.77

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/550ccd56b124878238a78a0e793ca07bb123bced/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.76

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/b39c2f8e576bf64f2e99d0091f8d084be077c791/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.75

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/a6096f112feeba58aa2a28bb897b49e728c728b3/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.74

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/be3227def91ec9f2e718ffdeb1c5a353c5f7164e/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.73

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/5262bc455eb3cc93a3b57bdac7106fa2ee7a681b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.72

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/11014dde6e9a1f197832ac220d6fee2871a390aa/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.71

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/2a6020d1b407174be6fe1e642e890e9fea190349/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.70

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/5608c1131fd6a1772c8e2f847742c206e601d351/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.69

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/16d85dd6a0575f32aa15ac973f923640608f660e/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.68

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8226844185b73763684240189ba59d0042e4a1db/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.67

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/ddd492496021d4d931b3dbb3e2d0315daa87cabf/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.63

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/f9d61a63966a5fbaa51d59cd12b5f977bfaac0ad/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.62

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/b12e3829bc1b332ec770e5ae77ca59a6186a0d90/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.61

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4c038878ea8a8b358d210e7bd3c25524dbc8cac5/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.60

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4c038878ea8a8b358d210e7bd3c25524dbc8cac5/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.57

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/ee142b45d15b051f8b06e86f2528a363a11a00ae/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.56

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/ea4725e394aee4ccb7e3ba5675e19d8fcdbb98b4/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.55

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4c9614458fc35d3ea0935d52e37173d359766a69/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.54

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/76f3284b40f857c3e94b75f10d34e6e0fa027fa1/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.53

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/8ffdde5f4a7849a4b0be98626a175759884a3f13/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.44

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/f7e8dbdd62613696a9e8b44717b47359d1fe39a7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.43

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/f7e8dbdd62613696a9e8b44717b47359d1fe39a7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.42

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/c61e7ffaac0ae19ff12d4b329d99cb945f969d2b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.41

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/317d3cf2b26965ec8f163e9fd3e6790c3e483edb/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.40

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/9aae71d7456a412acc7fc772c4c7c3c5e1d395a9/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.39

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/c0632463c794391ef9c56a42f270964f9352514d/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.38

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/53c4c27c755d9351389abdfbdac13ced0723a387/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.37

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/cbc61315329d30424ab1f928258824d53234c89f/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.36

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/55e329ac8489ca35874d4c23c72461a2e6be7726/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.35

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/55446d81ebc6081a1602c9532bb9da51cc879159/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.34

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/2377e98ac8dbdb7d9a8aca5cd62d84f48b40eea7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.33

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/2377e98ac8dbdb7d9a8aca5cd62d84f48b40eea7/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.32

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/4d646c0c0e199eacd7e9272088bff06b974f6c92/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.31

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/c3433ee38f21abb85f7ab967c710ebb31d799b58/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.30

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/875f27751f1aad3699b8c80c699a284afcb5e5e8/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.29

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/38007160c3f0d55b500ab751ddc6e2599ee60006/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.28

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/e90c055be57ee60dfcfd2d3249d76cf1e6916bcd/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.27

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/b911df4e08e8a682e891ac56a1fe1b228e6ebb3b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.26

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/7e866cae03a162c8907a5a9b7155f6bda2b1764b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.25

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/987ca1211266a1da022dc5140f49fb084b93406b/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.24

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/44f583b5085d473f30f756cf067c90619b868db5/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.23

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/5a11ee63a98f084ce43ca65dbb64a702d7dd09ef/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.22

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/eafae4001df39c6d259f3183dfe9f3dcee72c627/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.21

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/ce4f576b205d088621a13283b6b480fe21648a22/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.20

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/b879fe3eb3434f892994b2477746902a1b97857d/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.19

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/830c3d32b59fb56a7bdbdd48ce84cb64827980d5/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.18

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/57aa133706a89018453fe672eb65291d916da408/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.17

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/6fd976895e48d8a81b211049685299165db66658/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.16

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/c77261a8df82e902b43e01a241b4861326a83b90/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.15

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/87c17e25c66918587596397765984f270fc26eea/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.14

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/d95f9a88ac1f2375b64fd4625c37e50604cf5346/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.13

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/d95f9a88ac1f2375b64fd4625c37e50604cf5346/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.12

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/1a561fe9b53f53bd7f1741a01671b2284dd656ec/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.10

2 findings
HIGH steganography-image-eval: examples/extensions/doom-overlay/doom-engine.ts:58 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/eminent337/aery/blob/0c862faade628fe71a6190a1e66e1e821dade91a/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.