← Home

@hypen-space/cli

npm Repository Homepage

Hypen CLI - Create and manage Hypen applications

14
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ianrumac

Keywords

hypencliuideclarative

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@babel/runtime AI (phantom-deps): Framework-scoped runtime dep loaded by convention, not direct import. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 is a localhost sidecar health-check URL, not an external raw-IP connection. ai
semgrep semgrep:etc-passwd-access AI (semgrep): Hit is inside a comment explaining path traversal prevention, not actual /etc/passwd access. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall only runs `bun install` in a sub-directory; no arbitrary code fetch or execution. ai
semgrep semgrep:env-spread AI (semgrep): env spread used to pass environment to a spawned shell process — standard and expected for a CLI/terminal tool. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used in a live-preview sandbox to execute user-authored module code; expected pattern for this tool. ai
phantom-deps phantom-dep:bun-plugin-tailwind AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:tw-animate-css AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:tailwindcss AI (phantom-deps): Config-file reference only; not a real missing import for this CLI package. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped org package @hypen-space/cli; Levenshtein match to 'joi' is a false positive with no brand impersonation intent. ai
phantom-deps phantom-dep:@hypen-space/web AI (phantom-deps): Same org scope; likely a peer/optional dep, not a malicious phantom dependency. ai

Versions (showing 14 of 14)

Version Deps Published
0.4.948 23 / 3
0.4.941 22 / 3
0.4.91 9 / 3
0.4.45 9 / 3
0.4.35 7 / 3
0.4.31 7 / 3
0.4.24 6 / 3
0.4.12 3 / 6
0.4.11 3 / 6
0.4.5 3 / 6
0.4.3 3 / 6
0.4.1 6 / 3
0.4.0 6 / 3
0.3.8 3 / 3

v0.4.948

7 findings
HIGH etc-passwd-access: src/dev-bun.ts:328 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/src/dev-bun.ts#L328 326 | // Serve static files from project 327 | if (pathname.endsWith(".ts") || pathname.endsWith(".js")) { > 328 | // Normalize pathname to prevent path traversal (e.g., /../../../etc/passwd) 329 | const safePath = normalize(pathname).replace(/^(\.\.[/\\])+/, ""); 330 |

HIGH etc-passwd-access: src/dev-node.ts:264 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/src/dev-node.ts#L264 262 | // Serve static files from components directory 263 | if (pathname.endsWith(".ts") || pathname.endsWith(".js")) { > 264 | // Normalize pathname to prevent path traversal (e.g., /../../../etc/passwd) 265 | const safePath = normalize(pathname).replace(/^(\.\.[/\\])+/, ""); 266 |

HIGH env-spread: src/studio/run-scripts.ts:100 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/src/studio/run-scripts.ts#L100 98 | stdout: "pipe", 99 | stderr: "pipe", > 100 | env: { ...process.env }, 101 | }); 102 |

HIGH env-spread: src/studio/server.ts:136 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/src/studio/server.ts#L136 134 | iosStreamerProc = Bun.spawn({ 135 | cmd, > 136 | env: { ...process.env }, 137 | stdout: "inherit", 138 | stderr: "inherit",

HIGH env-spread: src/studio/server.ts:164 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/src/studio/server.ts#L164 162 | cmd: ["bun", "--hot", "--preload", resolve(studioUiPath, "hypen-preload.ts"), studioServerPath], 163 | cwd: studioUiPath, > 164 | env: { 165 | ...process.env, 166 | // Bun.serve `development` (Tailwind/HMR) is off when NODE_ENV=production; shells often

HIGH env-spread: studio-ui/src/index.tsx:888 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4cef45028c519ab9a0fb146fa6c79209284964c8/studio-ui/src/index.tsx#L888 886 | const proc = Bun.spawn([shell, "-li"], { 887 | cwd: projectDir, > 888 | env: { 889 | ...process.env, 890 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.941

6 findings
HIGH etc-passwd-access: src/dev-bun.ts:328 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/hypen-lang/hypen-engine-rs/blob/a99727aabe346913b5eccf4f6da7517ab4bfdce6/src/dev-bun.ts#L328 326 | // Serve static files from project 327 | if (pathname.endsWith(".ts") || pathname.endsWith(".js")) { > 328 | // Normalize pathname to prevent path traversal (e.g., /../../../etc/passwd) 329 | const safePath = normalize(pathname).replace(/^(\.\.[/\\])+/, ""); 330 |

HIGH etc-passwd-access: src/dev-node.ts:264 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/hypen-lang/hypen-engine-rs/blob/a99727aabe346913b5eccf4f6da7517ab4bfdce6/src/dev-node.ts#L264 262 | // Serve static files from components directory 263 | if (pathname.endsWith(".ts") || pathname.endsWith(".js")) { > 264 | // Normalize pathname to prevent path traversal (e.g., /../../../etc/passwd) 265 | const safePath = normalize(pathname).replace(/^(\.\.[/\\])+/, ""); 266 |

HIGH env-spread: src/studio/server.ts:136 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/a99727aabe346913b5eccf4f6da7517ab4bfdce6/src/studio/server.ts#L136 134 | iosStreamerProc = Bun.spawn({ 135 | cmd, > 136 | env: { ...process.env }, 137 | stdout: "inherit", 138 | stderr: "inherit",

HIGH env-spread: src/studio/server.ts:164 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/a99727aabe346913b5eccf4f6da7517ab4bfdce6/src/studio/server.ts#L164 162 | cmd: ["bun", "--hot", "--preload", resolve(studioUiPath, "hypen-preload.ts"), studioServerPath], 163 | cwd: studioUiPath, > 164 | env: { 165 | ...process.env, 166 | // Bun.serve `development` (Tailwind/HMR) is off when NODE_ENV=production; shells often

HIGH env-spread: studio-ui/src/index.tsx:664 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/a99727aabe346913b5eccf4f6da7517ab4bfdce6/studio-ui/src/index.tsx#L664 662 | const proc = Bun.spawn([shell, "-li"], { 663 | cwd: projectDir, > 664 | env: { 665 | ...process.env, 666 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.91

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: cd studio-ui && bun install

HIGH env-spread: studio-ui/src/index.tsx:655 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/f58bfb55e9f4a9ce3ac30e51cb9f4c8ec8898ffc/studio-ui/src/index.tsx#L655 653 | const proc = Bun.spawn([shell, "-li"], { 654 | cwd: projectDir, > 655 | env: { 656 | ...process.env, 657 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.45

2 findings
HIGH env-spread: studio-ui/src/index.tsx:522 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/8dedf14be82e745a418a39ee2573fe18fdcc5b59/studio-ui/src/index.tsx#L522 520 | const proc = Bun.spawn([shell, "-li"], { 521 | cwd: projectDir, > 522 | env: { 523 | ...process.env, 524 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.35

2 findings
HIGH env-spread: studio-ui/src/index.tsx:387 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/e901e167e88e54464bdd5a0bef1bdc9e46af9665/studio-ui/src/index.tsx#L387 385 | const proc = Bun.spawn([shell, "-li"], { 386 | cwd: projectDir, > 387 | env: { 388 | ...process.env, 389 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.31

2 findings
HIGH env-spread: studio-ui/src/index.tsx:387 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/hypen-lang/hypen-engine-rs/blob/4ad7758f4f8a5daf2cdf41bc24e16dcbf327a641/studio-ui/src/index.tsx#L387 385 | const proc = Bun.spawn([shell, "-li"], { 386 | cwd: projectDir, > 387 | env: { 388 | ...process.env, 389 | TERM: "xterm-256color",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.24

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.