← Home

@git-stunts/git-warp

npm Repository Homepage
39
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

flyingrobots

Keywords

gitgit-stuntswarpgraphgraph-databasedagmerklecommit-graphcontent-addressablehexagonaldddinvisible-storageempty-tree

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Standard child-process env passthrough in bisect CLI; not exfiltration. ai
semgrep semgrep:hex-decode AI (semgrep): Used for signature verification in SyncAuthService — standard crypto pattern. ai
phantom-deps phantom-dep:@git-stunts/git-cas AI (phantom-deps): Same-org dep; may be used indirectly or via re-export rather than direct import. ai
phantom-deps phantom-dep:wrap-ansi AI (phantom-deps): wrap-ansi is a declared runtime dep for CLI output; stable false positive. ai
phantom-deps phantom-dep:figures AI (phantom-deps): figures is a declared runtime dep for CLI output; stable false positive. ai
semgrep semgrep:base64-decode AI (semgrep): Decoding git bitmap index data; legitimate domain use, not obfuscation. ai
phantom-deps phantom-dep:zod AI (phantom-deps): zod is a declared runtime dep used in config/schema validation; stable false positive. ai

Versions (showing 39 of 39)

Version Deps Published
16.0.0 15 / 13
15.0.0 15 / 13
14.16.2 15 / 13
14.16.0 15 / 13
14.15.0 15 / 13
14.14.0 15 / 13
14.13.0 15 / 13
14.12.0 15 / 13
14.11.0 15 / 13
14.10.0 15 / 13
14.9.0 15 / 13
14.8.0 15 / 13
14.7.0 15 / 13
14.6.0 15 / 13
14.5.0 15 / 13
14.4.0 15 / 13
14.3.0 15 / 13
14.2.0 16 / 14
14.1.0 16 / 14
14.0.0 16 / 13
13.1.0 15 / 12
13.0.1 14 / 12
13.0.0 14 / 12
12.4.1 14 / 12
12.3.0 14 / 12
12.2.1 14 / 12
12.2.0 14 / 12
12.1.0 14 / 12
12.0.0 14 / 12
11.5.1 14 / 12
11.5.0 14 / 12
11.3.3 14 / 12
11.2.1 14 / 12
10.8.0 14 / 12
10.7.0 14 / 12
10.4.2 14 / 12
10.3.2 13 / 12
10.1.2 13 / 12
10.1.1 13 / 12

v16.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.16.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.14.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.13.0

2 findings
HIGH env-spread: bin/cli/commands/bisect.js:33 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/git-stunts/git-warp/blob/34bd5567e319a290f0c35dc3df7c647c61d77ce1/bin/cli/commands/bisect.js#L33 31 | execSync(testCmd, { 32 | stdio: 'pipe', > 33 | env: { 34 | ...process.env, 35 | WARP_BISECT_SHA: sha,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.12.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.11.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.10.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.7.0

2 findings
HIGH env-spread: bin/cli/commands/bisect.js:33 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/git-stunts/git-warp/blob/99da2f71f1dc02bad24a4d199241d57d10c2417c/bin/cli/commands/bisect.js#L33 31 | execSync(testCmd, { 32 | stdio: 'pipe', > 33 | env: { 34 | ...process.env, 35 | WARP_BISECT_SHA: sha,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.5.0

2 findings
HIGH env-spread: bin/cli/commands/bisect.js:33 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/git-stunts/git-warp/blob/004d54a369f69e3bca685e1c9f165a93a757c401/bin/cli/commands/bisect.js#L33 31 | execSync(testCmd, { 32 | stdio: 'pipe', > 33 | env: { 34 | ...process.env, 35 | WARP_BISECT_SHA: sha,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.2.0

2 findings
HIGH env-spread: bin/cli/commands/bisect.js:33 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/git-stunts/git-warp/blob/81518dabc31ae5f4ef03c52765356b1abb2b9706/bin/cli/commands/bisect.js#L33 31 | execSync(testCmd, { 32 | stdio: 'pipe', > 33 | env: { 34 | ...process.env, 35 | WARP_BISECT_SHA: sha,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.1.0

2 findings
HIGH env-spread: bin/cli/commands/bisect.js:33 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/git-stunts/git-warp/blob/e3176893ff39df53df1ca9a1bb3b261bb2a92bfa/bin/cli/commands/bisect.js#L33 31 | execSync(testCmd, { 32 | stdio: 'pipe', > 33 | env: { 34 | ...process.env, 35 | WARP_BISECT_SHA: sha,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v14.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v13.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.4.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.4.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.