← Home

@geekmidas/cli

npm Repository Homepage

CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs

27
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

geekmidas

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Pattern is child-process spawn with NODE_OPTIONS injection; not credential exfiltration. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Fires only in test fixtures using 127.0.0.1 localhost addresses. ai
semgrep semgrep:dynamic-require AI (semgrep): Loads package.json by filesystem path; not arbitrary user-controlled module loading. ai
semgrep semgrep:base64-decode AI (semgrep): Fires in encryption test suite validating base64 output; no payload hiding. ai
semgrep semgrep:hex-decode AI (semgrep): Fires in encryption utility decoding AES key/IV from hex; standard crypto pattern. ai
typosquat typosquat.levenshtein:joi AI (typosquat): @geekmidas/cli is a scoped CLI tool; levenshtein match to 'joi' is coincidental. ai
phantom-deps phantom-dep:openapi-typescript AI (phantom-deps): Listed as runtime dep; used via config/CLI invocation rather than direct import. ai
phantom-deps phantom-dep:@apidevtools/swagger-parser AI (phantom-deps): Listed as runtime dep; used via config/CLI invocation rather than direct import. ai

Versions (showing 27 of 27)

Version Deps Published
1.10.38 22 / 8
1.10.37 22 / 8
1.10.36 22 / 8
1.10.35 22 / 8
0.38.0 14 / 7
0.21.0 8 / 7
0.20.0 8 / 7
0.19.0 8 / 7
0.18.0 8 / 7
0.17.0 8 / 7
0.16.0 8 / 7
0.15.0 8 / 7
0.14.0 8 / 7
0.13.0 8 / 7
0.12.0 8 / 7
0.10.0 8 / 7
0.9.0 8 / 7
0.8.0 8 / 7
0.7.0 8 / 7
0.6.2 8 / 7
0.6.1 8 / 7
0.6.0 8 / 7
0.5.1 8 / 7
0.5.0 8 / 7
0.4.0 6 / 6
0.3.0 6 / 6
0.2.4 6 / 6

v1.10.38

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.10.37

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.10.36

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.10.35

12 findings
HIGH env-spread: bin/gkm.mjs:27 semgrep

Spreading entire process.env into an object — may capture all secrets 25 | execFileSync(process.execPath, process.argv.slice(1), { 26 | stdio: 'inherit', > 27 | env: { 28 | ...process.env, 29 | NODE_OPTIONS: `${nodeOptions} --import ${tsxPath}`.trim(),

HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/credentials/index.ts:426 semgrep

Spreading entire process.env into an object — may capture all secrets 424 | portEnv?: Record<string, string>, 425 | ): Record<string, string | undefined> { > 426 | return { ...process.env, ...secretsEnv, ...portEnv }; 427 | } 428 |

HIGH env-spread: src/deploy/docker.ts:164 semgrep

Spreading entire process.env into an object — may capture all secrets 162 | cwd: buildCwd, 163 | stdio: 'inherit', > 164 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 165 | }); 166 | logger.log(`✅ Image built: ${imageRef}`);

HIGH env-spread: src/deploy/sniffer.ts:304 semgrep

Spreading entire process.env into an object — may capture all secrets 302 | cwd: resolve(workspacePath, appPath), 303 | stdio: ['ignore', 'pipe', 'pipe'], > 304 | env: { 305 | ...process.env, 306 | // Ensure tsx is available for TypeScript entry files

HIGH env-spread: src/deploy/sniffer.ts:402 semgrep

Spreading entire process.env into an object — may capture all secrets 400 | cwd: fullAppPath, 401 | stdio: ['ignore', 'pipe', 'pipe'], > 402 | env: { 403 | ...process.env, 404 | },

HIGH env-spread: src/dev/index.ts:1023 semgrep

Spreading entire process.env into an object — may capture all secrets 1021 | // Prepare environment variables 1022 | // Order matters: secrets first, then dependencies (dependencies can override) > 1023 | const turboEnv: Record<string, string> = { 1024 | ...process.env, 1025 | ...secretsEnv,

HIGH env-spread: src/dev/index.ts:1267 semgrep

Spreading entire process.env into an object — may capture all secrets 1265 | private async runProcess(): Promise<void> { 1266 | // Pass PORT as environment variable > 1267 | const env = { ...process.env, PORT: String(this.port) }; 1268 | 1269 | this.childProcess = spawn('npx', ['tsx', this.wrapperPath], {

HIGH env-spread: src/dev/index.ts:1479 semgrep

Spreading entire process.env into an object — may capture all secrets 1477 | { 1478 | stdio: 'inherit', > 1479 | env: { ...process.env, NODE_ENV: 'development' }, 1480 | detached: true, 1481 | },

HIGH env-spread: src/docker/index.ts:293 semgrep

Spreading entire process.env into an object — may capture all secrets 291 | cwd, 292 | stdio: 'inherit', > 293 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 294 | }, 295 | );

HIGH env-spread: src/exec/index.ts:99 semgrep

Spreading entire process.env into an object — may capture all secrets 97 | cwd, 98 | stdio: 'inherit', > 99 | env: { 100 | ...process.env, 101 | ...credentials, // Inject secrets as env vars

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.38.0

7 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:1030 semgrep

Spreading entire process.env into an object — may capture all secrets 1028 | // Prepare environment variables 1029 | // Order matters: secrets first, then dependencies (dependencies can override) > 1030 | const turboEnv: Record<string, string> = { 1031 | ...process.env, 1032 | ...secretsEnv,

HIGH env-spread: src/dev/index.ts:1496 semgrep

Spreading entire process.env into an object — may capture all secrets 1494 | private async runProcess(): Promise<void> { 1495 | // Pass PORT as environment variable > 1496 | const env = { ...process.env, PORT: String(this.port) }; 1497 | 1498 | this.childProcess = spawn('npx', ['tsx', this.wrapperPath], {

HIGH env-spread: src/dev/index.ts:1622 semgrep

Spreading entire process.env into an object — may capture all secrets 1620 | { 1621 | stdio: 'inherit', > 1622 | env: { ...process.env, NODE_ENV: 'development' }, 1623 | detached: true, 1624 | },

HIGH env-spread: src/docker/index.ts:292 semgrep

Spreading entire process.env into an object — may capture all secrets 290 | cwd, 291 | stdio: 'inherit', > 292 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 293 | }, 294 | );

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.21.0

6 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:908 semgrep

Spreading entire process.env into an object — may capture all secrets 906 | // Prepare environment variables 907 | // Order matters: secrets first, then dependencies (dependencies can override) > 908 | const turboEnv: Record<string, string> = { 909 | ...process.env, 910 | ...secretsEnv,

HIGH env-spread: src/dev/index.ts:1193 semgrep

Spreading entire process.env into an object — may capture all secrets 1191 | { 1192 | stdio: 'inherit', > 1193 | env: { ...process.env, NODE_ENV: 'development' }, 1194 | detached: true, 1195 | },

HIGH env-spread: src/docker/index.ts:292 semgrep

Spreading entire process.env into an object — may capture all secrets 290 | cwd, 291 | stdio: 'inherit', > 292 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 293 | }, 294 | );

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.20.0

6 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:908 semgrep

Spreading entire process.env into an object — may capture all secrets 906 | // Prepare environment variables 907 | // Order matters: secrets first, then dependencies (dependencies can override) > 908 | const turboEnv: Record<string, string> = { 909 | ...process.env, 910 | ...secretsEnv,

HIGH env-spread: src/dev/index.ts:1193 semgrep

Spreading entire process.env into an object — may capture all secrets 1191 | { 1192 | stdio: 'inherit', > 1193 | env: { ...process.env, NODE_ENV: 'development' }, 1194 | detached: true, 1195 | },

HIGH env-spread: src/docker/index.ts:292 semgrep

Spreading entire process.env into an object — may capture all secrets 290 | cwd, 291 | stdio: 'inherit', > 292 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 293 | }, 294 | );

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.19.0

6 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:908 semgrep

Spreading entire process.env into an object — may capture all secrets 906 | // Prepare environment variables 907 | // Order matters: secrets first, then dependencies (dependencies can override) > 908 | const turboEnv: Record<string, string> = { 909 | ...process.env, 910 | ...secretsEnv,

HIGH env-spread: src/dev/index.ts:1193 semgrep

Spreading entire process.env into an object — may capture all secrets 1191 | { 1192 | stdio: 'inherit', > 1193 | env: { ...process.env, NODE_ENV: 'development' }, 1194 | detached: true, 1195 | },

HIGH env-spread: src/docker/index.ts:292 semgrep

Spreading entire process.env into an object — may capture all secrets 290 | cwd, 291 | stdio: 'inherit', > 292 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 293 | }, 294 | );

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.18.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:275 semgrep

Spreading entire process.env into an object — may capture all secrets 273 | cwd, 274 | stdio: 'inherit', > 275 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 276 | }, 277 | );

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:275 semgrep

Spreading entire process.env into an object — may capture all secrets 273 | cwd, 274 | stdio: 'inherit', > 275 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 276 | }, 277 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:275 semgrep

Spreading entire process.env into an object — may capture all secrets 273 | cwd, 274 | stdio: 'inherit', > 275 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 276 | }, 277 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:135 semgrep

Spreading entire process.env into an object — may capture all secrets 133 | cwd: buildCwd, 134 | stdio: 'inherit', > 135 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 136 | }, 137 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:275 semgrep

Spreading entire process.env into an object — may capture all secrets 273 | cwd, 274 | stdio: 'inherit', > 275 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 276 | }, 277 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:75 semgrep

Spreading entire process.env into an object — may capture all secrets 73 | cwd: buildCwd, 74 | stdio: 'inherit', > 75 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 76 | }, 77 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:275 semgrep

Spreading entire process.env into an object — may capture all secrets 273 | cwd, 274 | stdio: 'inherit', > 275 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 276 | }, 277 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:46 semgrep

Spreading entire process.env into an object — may capture all secrets 44 | cwd: process.cwd(), 45 | stdio: 'inherit', > 46 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 47 | }, 48 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:188 semgrep

Spreading entire process.env into an object — may capture all secrets 186 | cwd: process.cwd(), 187 | stdio: 'inherit', > 188 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 189 | }, 190 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.0

5 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/deploy/docker.ts:46 semgrep

Spreading entire process.env into an object — may capture all secrets 44 | cwd: process.cwd(), 45 | stdio: 'inherit', > 46 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 47 | }, 48 | );

HIGH env-spread: src/dev/index.ts:613 semgrep

Spreading entire process.env into an object — may capture all secrets 611 | { 612 | stdio: 'inherit', > 613 | env: { ...process.env, NODE_ENV: 'development' }, 614 | detached: true, 615 | },

HIGH env-spread: src/docker/index.ts:188 semgrep

Spreading entire process.env into an object — may capture all secrets 186 | cwd: process.cwd(), 187 | stdio: 'inherit', > 188 | env: { ...process.env, DOCKER_BUILDKIT: '1' }, 189 | }, 190 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:567 semgrep

Spreading entire process.env into an object — may capture all secrets 565 | { 566 | stdio: 'inherit', > 567 | env: { ...process.env, NODE_ENV: 'development' }, 568 | detached: true, 569 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:559 semgrep

Spreading entire process.env into an object — may capture all secrets 557 | { 558 | stdio: 'inherit', > 559 | env: { ...process.env, NODE_ENV: 'development' }, 560 | detached: true, 561 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:543 semgrep

Spreading entire process.env into an object — may capture all secrets 541 | { 542 | stdio: 'inherit', > 543 | env: { ...process.env, NODE_ENV: 'development' }, 544 | detached: true, 545 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:491 semgrep

Spreading entire process.env into an object — may capture all secrets 489 | { 490 | stdio: 'inherit', > 491 | env: { ...process.env, NODE_ENV: 'development' }, 492 | detached: true, 493 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.2

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:433 semgrep

Spreading entire process.env into an object — may capture all secrets 431 | { 432 | stdio: 'inherit', > 433 | env: { ...process.env, NODE_ENV: 'development' }, 434 | detached: true, 435 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:433 semgrep

Spreading entire process.env into an object — may capture all secrets 431 | { 432 | stdio: 'inherit', > 433 | env: { ...process.env, NODE_ENV: 'development' }, 434 | detached: true, 435 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:433 semgrep

Spreading entire process.env into an object — may capture all secrets 431 | { 432 | stdio: 'inherit', > 433 | env: { ...process.env, NODE_ENV: 'development' }, 434 | detached: true, 435 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.1

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:415 semgrep

Spreading entire process.env into an object — may capture all secrets 413 | { 414 | stdio: 'inherit', > 415 | env: { ...process.env, NODE_ENV: 'development' }, 416 | detached: true, 417 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

3 findings
HIGH env-spread: src/__tests__/loadEnvFiles.spec.ts:9 semgrep

Spreading entire process.env into an object — may capture all secrets 7 | describe('loadEnvFiles', () => { 8 | let testDir: string; > 9 | const originalEnv = { ...process.env }; 10 | 11 | beforeEach(() => {

HIGH env-spread: src/dev/index.ts:415 semgrep

Spreading entire process.env into an object — may capture all secrets 413 | { 414 | stdio: 'inherit', > 415 | env: { ...process.env, NODE_ENV: 'development' }, 416 | detached: true, 417 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

2 findings
HIGH env-spread: src/dev/index.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | { 354 | stdio: 'inherit', > 355 | env: { ...process.env, NODE_ENV: 'development' }, 356 | detached: true, 357 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

2 findings
HIGH env-spread: src/dev/index.ts:268 semgrep

Spreading entire process.env into an object — may capture all secrets 266 | { 267 | stdio: 'inherit', > 268 | env: { ...process.env, NODE_ENV: 'development' }, 269 | }, 270 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.4

2 findings
HIGH env-spread: src/dev/index.ts:268 semgrep

Spreading entire process.env into an object — may capture all secrets 266 | { 267 | stdio: 'inherit', > 268 | env: { ...process.env, NODE_ENV: 'development' }, 269 | }, 270 | );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.