@flakiness/sdk
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env to construct a safe git subprocess environment with overrides; not exfiltration. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only FK_ENV_-prefixed keys for SDK config; intentional and scoped enumeration. | ai |
Versions (showing 51 of 82)
| Version | Deps | Published |
|---|---|---|
| 3.3.1 | 5 / 10 | |
| 3.3.0 | 5 / 10 | |
| 3.2.0 | 5 / 10 | |
| 3.1.0 | 5 / 10 | |
| 3.0.0 | 5 / 10 | |
| 2.7.0 | 5 / 10 | |
| 2.6.0 | 5 / 10 | |
| 2.5.0 | 5 / 10 | |
| 2.4.0 | 5 / 10 | |
| 2.3.1 | 5 / 10 | |
| 2.2.2 | 5 / 9 | |
| 2.2.1 | 5 / 7 | |
| 2.2.0 | 5 / 7 | |
| 2.1.0 | 5 / 7 | |
| 2.0.0 | 5 / 7 | |
| 1.1.0 | 5 / 7 | |
| 1.0.2 | 5 / 7 | |
| 1.0.1 | 5 / 7 | |
| 1.0.0 | 5 / 7 | |
| 0.155.0 | 5 / 7 | |
| 0.154.0 | 6 / 6 | |
| 0.153.0 | 6 / 6 | |
| 0.152.0 | 5 / 6 | |
| 0.151.0 | 6 / 7 | |
| 0.150.2 | 6 / 7 | |
| 0.150.1 | 6 / 7 | |
| 0.150.0 | 6 / 7 | |
| 0.149.1 | 6 / 1 | |
| 0.149.0 | 6 / 1 | |
| 0.148.0 | 7 / 2 | |
| 0.147.0 | 11 / 4 | |
| 0.146.1 | 14 / 5 | |
| 0.146.0 | 14 / 5 | |
| 0.145.1 | 14 / 5 | |
| 0.145.0 | 14 / 5 | |
| 0.144.0 | 14 / 5 | |
| 0.143.0 | 14 / 5 | |
| 0.142.0 | 14 / 5 | |
| 0.141.0 | 14 / 5 | |
| 0.140.0 | 14 / 5 | |
| 0.139.0 | 14 / 5 | |
| 0.138.0 | 14 / 5 | |
| 0.137.0 | 14 / 5 | |
| 0.135.0 | 13 / 5 | |
| 0.134.0 | 13 / 5 | |
| 0.133.0 | 13 / 5 | |
| 0.132.0 | 13 / 5 | |
| 0.131.0 | 13 / 5 | |
| 0.130.0 | 13 / 5 | |
| 0.129.4 | 13 / 5 | |
| 0.129.3 | 13 / 5 |
v3.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 220 | var log = debug("fk:git"); 221 | var execAsync = promisify(exec); > 222 | var GIT_SAFE_ENV = { 223 | ...process.env, 224 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
2 findingsSpreading entire process.env into an object — may capture all secrets 220 | var log = debug("fk:git"); 221 | var execAsync = promisify(exec); > 222 | var GIT_SAFE_ENV = { 223 | ...process.env, 224 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.0
2 findingsSpreading entire process.env into an object — may capture all secrets 220 | var log = debug("fk:git"); 221 | var execAsync = promisify(exec); > 222 | var GIT_SAFE_ENV = { 223 | ...process.env, 224 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.0
2 findingsSpreading entire process.env into an object — may capture all secrets 220 | var log = debug("fk:git"); 221 | var execAsync = promisify(exec); > 222 | var GIT_SAFE_ENV = { 223 | ...process.env, 224 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.6.0
2 findingsSpreading entire process.env into an object — may capture all secrets 220 | var log = debug("fk:git"); 221 | var execAsync = promisify(exec); > 222 | var GIT_SAFE_ENV = { 223 | ...process.env, 224 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.0
2 findingsSpreading entire process.env into an object — may capture all secrets 224 | var log = debug("fk:git"); 225 | var execAsync = promisify(exec); > 226 | var GIT_SAFE_ENV = { 227 | ...process.env, 228 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.4.0
2 findingsSpreading entire process.env into an object — may capture all secrets 216 | var log = debug("fk:git"); 217 | var execAsync = promisify(exec); > 218 | var GIT_SAFE_ENV = { 219 | ...process.env, 220 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.3.1
2 findingsSpreading entire process.env into an object — may capture all secrets 216 | var log = debug("fk:git"); 217 | var execAsync = promisify(exec); > 218 | var GIT_SAFE_ENV = { 219 | ...process.env, 220 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.2
2 findingsSpreading entire process.env into an object — may capture all secrets 216 | var log = debug("fk:git"); 217 | var execAsync = promisify(exec); > 218 | var GIT_SAFE_ENV = { 219 | ...process.env, 220 | GIT_CONFIG_COUNT: "1",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.155.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.154.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.153.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.152.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.151.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.150.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.150.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.150.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.149.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.149.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.148.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.147.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.146.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.146.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.145.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.145.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.144.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.143.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.141.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.140.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.139.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.137.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.135.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.134.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.133.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.132.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.131.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.130.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.129.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.129.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.