@forwardimpact/libeval
Agent evaluation framework — prove whether agent changes improved outcomes with reproducible evidence.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in benchmark spawn helper — passing process.env to child processes is idiomatic and not exfiltration. | ai | |
| provenance | no-provenance | AI (provenance): Consistent across all @forwardimpact packages; org does not use Sigstore attestation. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 0.1.54 | 9 / 1 | |
| 0.1.53 | 9 / 1 | |
| 0.1.52 | 9 / 1 | |
| 0.1.51 | 9 / 1 | |
| 0.1.50 | 9 / 1 | |
| 0.1.49 | 9 / 1 | |
| 0.1.48 | 9 / 1 | |
| 0.1.47 | 9 / 1 | |
| 0.1.46 | 8 / 1 | |
| 0.1.45 | 6 / 1 | |
| 0.1.44 | 6 / 1 | |
| 0.1.43 | 6 / 1 | |
| 0.1.42 | 6 / 1 | |
| 0.1.41 | 6 / 1 | |
| 0.1.39 | 6 / 1 | |
| 0.1.38 | 6 / 1 | |
| 0.1.36 | 5 / 1 | |
| 0.1.35 | 5 / 1 | |
| 0.1.34 | 5 / 1 | |
| 0.1.33 | 5 / 1 | |
| 0.1.32 | 5 / 1 | |
| 0.1.31 | 5 / 1 | |
| 0.1.30 | 5 / 1 | |
| 0.1.28 | 5 / 1 | |
| 0.1.27 | 5 / 1 | |
| 0.1.26 | 5 / 1 | |
| 0.1.25 | 5 / 1 | |
| 0.1.24 | 5 / 1 | |
| 0.1.23 | 5 / 1 | |
| 0.1.22 | 5 / 1 | |
| 0.1.21 | 5 / 0 | |
| 0.1.20 | 5 / 0 | |
| 0.1.19 | 5 / 0 | |
| 0.1.18 | 5 / 0 | |
| 0.1.17 | 5 / 0 | |
| 0.1.16 | 5 / 0 | |
| 0.1.15 | 4 / 0 | |
| 0.1.14 | 3 / 0 | |
| 0.1.13 | 3 / 0 | |
| 0.1.12 | 3 / 0 | |
| 0.1.11 | 3 / 0 | |
| 0.1.9 | 1 / 0 | |
| 0.1.8 | 1 / 0 | |
| 0.1.6 | 1 / 0 | |
| 0.1.5 | 1 / 0 | |
| 0.1.3 | 1 / 0 | |
| 0.1.2 | 1 / 0 | |
| 0.1.1 | 1 / 0 | |
| 0.1.0 | 0 / 0 |
v0.1.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.51
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/aa5439f385cf6f7eacca7dd4c1db23304a6d753b/src/benchmark/invariants.js#L54 52 | 53 | const child = spawn(script, [], { > 54 | env: { 55 | ...process.env, 56 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/aa5439f385cf6f7eacca7dd4c1db23304a6d753b/src/benchmark/workdir.js#L166 164 | const child = spawn(script, [], { 165 | cwd, > 166 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 167 | detached: true, 168 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.50
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d265b9b6c6674ac7bd5289236a6f7c15abc8aa2f/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d265b9b6c6674ac7bd5289236a6f7c15abc8aa2f/src/benchmark/workdir.js#L151 149 | const child = spawn(script, [], { 150 | cwd, > 151 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 152 | detached: true, 153 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.49
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/5d7a7f8714eb0a558603f5750116a3218cdbc65d/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/5d7a7f8714eb0a558603f5750116a3218cdbc65d/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.48
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/32341698d6f0896fe8cf5823377aca5e47b6ffc8/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/32341698d6f0896fe8cf5823377aca5e47b6ffc8/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.47
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/51e25d5fb29918122fd1c8cdf3724f7b3fbb3e4f/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/51e25d5fb29918122fd1c8cdf3724f7b3fbb3e4f/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.46
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f41ed07f18a1afdc91f3548e5c8db4cd5a01f650/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f41ed07f18a1afdc91f3548e5c8db4cd5a01f650/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.45
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/def1eaad908b37024b7a53b173934143a97abd59/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/def1eaad908b37024b7a53b173934143a97abd59/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.44
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/8b70d4ed32b5c2465e0a6371e7f64fae0c6f497e/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/8b70d4ed32b5c2465e0a6371e7f64fae0c6f497e/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.43
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/3b5fac38733c9066307c19dcbea9cae9ce8f637e/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/3b5fac38733c9066307c19dcbea9cae9ce8f637e/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.42
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d029579643dc3094464725f585cad4d0f71b7543/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d029579643dc3094464725f585cad4d0f71b7543/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.41
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/09702838cd2cef6590b5df119677013c36869f08/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/09702838cd2cef6590b5df119677013c36869f08/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.39
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/00ad21526d1dedf924409d63ecc1625dfebad0d3/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/00ad21526d1dedf924409d63ecc1625dfebad0d3/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.38
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f48941c2dc7eb7f3813fe648888ea1aec3106a66/src/benchmark/scorer.js#L49 47 | 48 | const child = spawn(script, [], { > 49 | env: { 50 | ...process.env, 51 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f48941c2dc7eb7f3813fe648888ea1aec3106a66/src/benchmark/workdir.js#L134 132 | const child = spawn(script, [], { 133 | cwd, > 134 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 135 | detached: true, 136 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.36
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/25c7aba5f43d670f0ede6ac3f95c9c307fd7ef20/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/25c7aba5f43d670f0ede6ac3f95c9c307fd7ef20/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.35
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/0729d376bfa9e6fccf7ee6258f01f0542e05d850/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/0729d376bfa9e6fccf7ee6258f01f0542e05d850/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.34
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/082a6b9da85599cfd2993da220280c6869be319b/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/082a6b9da85599cfd2993da220280c6869be319b/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.33
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/57e91a3e4369ea573f5aad5b6dcb732f4d6d0e34/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/57e91a3e4369ea573f5aad5b6dcb732f4d6d0e34/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.