@goalwards/deck
Builds and presents Marp slide decks from modular Markdown content. One install gives you the full toolchain: compose decks from topic files and schedules, present them live with a speaker HUD, and browse the documentation without leaving your terminal.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Opens a URL in the OS default browser via open/start/xdg-open; standard docs-launcher pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same browser-open pattern; cmd is selected from a fixed platform-specific list, not user-controlled. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves sibling @goalwards/* package binary paths; controlled input, not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@goalwards/marp-export | AI (phantom-deps): Same-org dep likely used via CLI subprocess via resolve-bin.js rather than direct import. | ai | |
| phantom-deps | phantom-dep:@goalwards/marp-present | AI (phantom-deps): Same-org dep likely used via CLI subprocess via resolve-bin.js rather than direct import. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.13.0 | 4 / 1 | |
| 0.10.2 | 4 / 1 | |
| 0.10.1 | 4 / 1 | |
| 0.10.0 | 4 / 1 | |
| 0.9.0 | 4 / 1 | |
| 0.8.0 | 4 / 1 | |
| 0.7.0 | 3 / 1 | |
| 0.6.0 | 3 / 1 | |
| 0.5.0 | 3 / 1 | |
| 0.4.0 | 3 / 1 | |
| 0.3.0 | 3 / 1 | |
| 0.2.0 | 3 / 1 | |
| 0.1.0 | 3 / 1 |
v0.13.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 44 | : process.platform === 'win32' ? 'start' 45 | : 'xdg-open' > 46 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 47 | } 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | : process.platform === 'win32' ? 'start' 42 | : 'xdg-open' > 43 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 44 | } 45 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 35 | : process.platform === 'win32' ? 'start' 36 | : 'xdg-open' > 37 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 38 | } 39 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | : process.platform === 'win32' ? 'start' 36 | : 'xdg-open' > 37 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 38 | } 39 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 35 | : process.platform === 'win32' ? 'start' 36 | : 'xdg-open' > 37 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 38 | } 39 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | : process.platform === 'win32' ? 'start' 36 | : 'xdg-open' > 37 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 38 | } 39 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 33 | : process.platform === 'win32' ? 'start' 34 | : 'xdg-open' > 35 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 36 | } 37 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 33 | : process.platform === 'win32' ? 'start' 34 | : 'xdg-open' > 35 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 36 | } 37 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 33 | : process.platform === 'win32' ? 'start' 34 | : 'xdg-open' > 35 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 36 | } 37 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 33 | : process.platform === 'win32' ? 'start' 34 | : 'xdg-open' > 35 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 36 | } 37 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 32 | : process.platform === 'win32' ? 'start' 33 | : 'xdg-open' > 34 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 35 | } 36 |
Silent detached process — runs invisibly in the background (reverse shells, miners) 32 | : process.platform === 'win32' ? 'start' 33 | : 'xdg-open' > 34 | spawn(cmd, [url], { detached: true, stdio: 'ignore' }).unref() 35 | } 36 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.