@forwardimpact/map
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a subprocess-spawning CLI helper; passing process.env to spawnSync is standard practice, not exfiltration. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped @forwardimpact package; name similarity to hapi is coincidental, not a typosquat. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @forwardimpact package; name similarity to yup is coincidental, not a typosquat. | ai |
Versions (showing 50 of 50)
| Version | Deps | Published |
|---|---|---|
| 0.15.54 | 12 / 6 | |
| 0.15.53 | 12 / 6 | |
| 0.15.52 | 12 / 6 | |
| 0.15.51 | 12 / 6 | |
| 0.15.50 | 11 / 6 | |
| 0.15.49 | 10 / 7 | |
| 0.15.48 | 10 / 7 | |
| 0.15.47 | 8 / 6 | |
| 0.15.46 | 8 / 6 | |
| 0.15.44 | 7 / 6 | |
| 0.15.43 | 7 / 6 | |
| 0.15.41 | 7 / 6 | |
| 0.15.40 | 7 / 6 | |
| 0.15.39 | 7 / 6 | |
| 0.15.38 | 7 / 6 | |
| 0.15.37 | 7 / 6 | |
| 0.15.36 | 7 / 6 | |
| 0.15.35 | 7 / 6 | |
| 0.15.34 | 7 / 6 | |
| 0.15.33 | 7 / 6 | |
| 0.15.32 | 7 / 6 | |
| 0.15.31 | 7 / 6 | |
| 0.15.30 | 7 / 5 | |
| 0.15.29 | 7 / 5 | |
| 0.15.28 | 7 / 5 | |
| 0.15.27 | 7 / 5 | |
| 0.15.26 | 7 / 5 | |
| 0.15.25 | 7 / 5 | |
| 0.15.24 | 7 / 5 | |
| 0.15.23 | 7 / 5 | |
| 0.15.22 | 7 / 5 | |
| 0.15.21 | 7 / 5 | |
| 0.15.16 | 7 / 5 | |
| 0.15.14 | 6 / 5 | |
| 0.15.13 | 5 / 5 | |
| 0.15.11 | 4 / 1 | |
| 0.15.8 | 4 / 1 | |
| 0.15.7 | 4 / 1 | |
| 0.15.6 | 4 / 1 | |
| 0.15.5 | 4 / 1 | |
| 0.15.4 | 4 / 1 | |
| 0.15.3 | 4 / 1 | |
| 0.15.2 | 4 / 1 | |
| 0.15.1 | 3 / 1 | |
| 0.15.0 | 3 / 1 | |
| 0.14.0 | 3 / 1 | |
| 0.13.0 | 3 / 1 | |
| 0.12.0 | 3 / 1 | |
| 0.11.1 | 3 / 1 | |
| 0.11.0 | 3 / 1 |
v0.15.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.52
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.46
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/09702838cd2cef6590b5df119677013c36869f08/src/commands/substrate-smoke.js#L28 26 | return spawnSync("bunx", ["fit-landmark", ...argv], { 27 | encoding: "utf8", > 28 | env: { ...process.env, ...extraEnv }, 29 | }); 30 | }
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.