@evjs/ev
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Pattern is spreading process.env to pass environment to a child process with NODE_ENV override — standard and benign for this package. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @evjs namespace package; not a typosquat of pg. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @evjs namespace package; not a typosquat of qs. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @evjs namespace package; not a typosquat of ajv. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 0.1.11 | 4 / 3 | |
| 0.1.10 | 4 / 3 | |
| 0.1.9 | 4 / 3 | |
| 0.1.8 | 4 / 3 | |
| 0.1.7 | 4 / 3 | |
| 0.1.6 | 4 / 3 | |
| 0.1.5 | 4 / 3 | |
| 0.1.4 | 4 / 3 | |
| 0.1.3 | 4 / 3 | |
| 0.1.2 | 4 / 3 | |
| 0.1.1 | 4 / 3 | |
| 0.1.0 | 2 / 2 | |
| 0.0.33 | 2 / 2 | |
| 0.0.32 | 2 / 2 | |
| 0.0.30 | 2 / 2 | |
| 0.0.29 | 2 / 1 | |
| 0.0.28 | 2 / 1 | |
| 0.0.27 | 2 / 1 | |
| 0.0.26 | 2 / 1 | |
| 0.0.25 | 2 / 1 | |
| 0.0.24 | 2 / 1 | |
| 0.0.23 | 2 / 1 | |
| 0.0.22 | 2 / 1 | |
| 0.0.21 | 2 / 1 | |
| 0.0.20 | 2 / 1 | |
| 0.0.19 | 2 / 1 | |
| 0.0.18 | 2 / 1 |
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/a5e24520d3199ae17d9f65d48f61d67c31284cf6/esm/commands.js#L333 331 | const child = execa("node", [bootstrapPath], { 332 | stdio: ["inherit", "pipe", "pipe"], > 333 | env: { ...process.env, NODE_ENV: "development" }, 334 | }); 335 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/de674f6fe7565033da0337d7e01f60c79ba08aa3/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/7375ec2944feffe8e02eb34dae962c330b312db7/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/1658da685b7edfe69de63e649da7fc6e98d64d9c/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/9e061617669469898799bdfe72003304cf359ecc/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/09ecfe7bb5cb4235125683612a2af66b01d8d512/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/1f55454af1337c6a58ef274fc3468d0befc2a944/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/evaijs/evjs/blob/d9116c82afaac2fe73bb656036ad11c1a8ab2d91/esm/commands.js#L257 255 | const child = execa("node", [bootstrapPath], { 256 | stdio: ["inherit", "pipe", "pipe"], > 257 | env: { ...process.env, NODE_ENV: "development" }, 258 | }); 259 | apiProcess = child;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.