@forgedesk/create-forge-app
Scaffold Forge applications from npm
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread fires on a subprocess env construction pattern (UV_LINK_MODE override); not exfiltration, stable for this scaffolding tool. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 3.0.6 | 0 / 0 | |
| 3.0.4 | 0 / 0 | |
| 3.0.3 | 0 / 0 | |
| 3.0.1 | 0 / 0 | |
| 2.0.1 | 0 / 0 | |
| 2.0.0 | 0 / 0 |
v3.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/swadhinbiswas/ForgeDesk/blob/a6fad8786a3bf5f26a46a0a12a929eb5b32d4b80/bin/create-forge-app.js#L103 101 | } 102 | > 103 | const uvEnv = { 104 | ...process.env, 105 | UV_LINK_MODE: process.env.UV_LINK_MODE || "copy",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.