@goodfoot/wiki
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): process.env spread into spawnSync for cargo build; standard toolchain env forwarding, not exfiltration. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used solely to invoke cargo for native binary compilation; expected pattern for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall selects platform-specific prebuilt binary from optional deps; standard native CLI distribution pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Tiny payload and no description are expected for a CLI binary wrapper package; not spam indicators here. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 0.5.71 | 0 / 0 | |
| 0.5.65 | 0 / 0 | |
| 0.5.63 | 0 / 0 | |
| 0.5.62 | 0 / 0 | |
| 0.5.61 | 0 / 0 | |
| 0.5.60 | 0 / 0 | |
| 0.5.58 | 0 / 0 | |
| 0.5.57 | 0 / 0 | |
| 0.5.54 | 0 / 0 | |
| 0.5.53 | 0 / 0 | |
| 0.5.52 | 0 / 0 | |
| 0.5.51 | 0 / 0 | |
| 0.5.49 | 0 / 0 | |
| 0.5.48 | 0 / 0 | |
| 0.5.46 | 0 / 0 | |
| 0.5.45 | 0 / 0 | |
| 0.5.44 | 0 / 0 | |
| 0.5.41 | 0 / 0 | |
| 0.5.39 | 0 / 0 | |
| 0.5.38 | 0 / 0 | |
| 0.5.37 | 0 / 0 | |
| 0.5.35 | 0 / 0 | |
| 0.5.33 | 0 / 0 | |
| 0.5.32 | 0 / 0 | |
| 0.5.31 | 0 / 0 | |
| 0.5.24 | 0 / 0 | |
| 0.5.22 | 0 / 0 | |
| 0.5.21 | 0 / 0 | |
| 0.5.19 | 0 / 0 | |
| 0.5.15 | 0 / 0 | |
| 0.5.14 | 0 / 0 | |
| 0.5.0 | 0 / 0 |
v0.5.71
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/goodfoot-io/wiki/blob/c10efd8805c71bd222f166a34e7079bb21fdf8a6/scripts/postinstall.js#L37 35 | const result = spawnSync('cargo', ['build', '--release', '--manifest-path', cargoToml], { 36 | stdio: 'inherit', > 37 | env: { ...process.env, CARGO_BUILD_JOBS: '1', CARGO_TARGET_DIR: targetDir } 38 | }); 39 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.65
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/goodfoot-io/wiki/blob/f819372371d2756247f989d0d0087dae83ae045f/scripts/postinstall.js#L37 35 | const result = spawnSync('cargo', ['build', '--release', '--manifest-path', cargoToml], { 36 | stdio: 'inherit', > 37 | env: { ...process.env, CARGO_BUILD_JOBS: '1', CARGO_TARGET_DIR: targetDir } 38 | }); 39 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.63
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.62
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.61
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.60
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.58
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.57
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.53
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.