← Home

@idlebox/node

npm Repository Homepage
31
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

gongt

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@idlebox/source-map-support AI (phantom-deps): Same org scope; likely re-exported or used indirectly. Stable false positive for this package. ai
phantom-deps phantom-dep:source-map-support AI (phantom-deps): source-map-support is a declared runtime dep used via config/loader, not direct import; stable false positive. ai
semgrep semgrep:env-spread AI (semgrep): env-spread is used to pass parent env to a child process in respawn.js — standard pattern, not exfiltration. ai
typosquat typosquat.levenshtein:zod AI (typosquat): Scoped package @idlebox/node is not a typosquat of zod; completely different name and purpose. ai

Versions (showing 31 of 31)

Version Deps Published
1.4.37 3 / 3
1.4.36 3 / 3
1.4.35 3 / 3
1.4.34 3 / 3
1.4.33 3 / 3
1.4.32 3 / 3
1.4.31 3 / 4
1.4.30 3 / 4
1.4.29 3 / 3
1.4.28 3 / 3
1.4.27 3 / 3
1.4.26 3 / 3
1.4.25 3 / 3
1.4.23 3 / 3
1.4.22 3 / 3
1.4.21 3 / 3
1.4.20 3 / 3
1.4.19 3 / 3
1.4.18 3 / 3
1.4.17 3 / 3
1.4.16 3 / 3
1.4.15 3 / 0
1.4.14 4 / 4
1.4.13 4 / 4
1.4.12 4 / 5
1.4.11 4 / 5
1.4.10 4 / 5
1.4.9 4 / 5
1.4.8 4 / 5
1.4.7 4 / 5
1.4.6 4 / 4

v1.4.37

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.36

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.35

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.34

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.33

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.32

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.31

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.30

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.29

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.28

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.27

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.26

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.25

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.23

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.22

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.21

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.20

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.19

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.18

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.17

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.16

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.15

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.14

3 findings
HIGH env-spread: lib/child_process/respawn.js:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | stdio: 'inherit', 84 | windowsHide: true, > 85 | env: { 86 | ...process.env, 87 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | stdio: 'inherit', 93 | windowsHide: true, > 94 | env: { 95 | ...process.env, 96 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.11

3 findings
HIGH env-spread: lib/child_process/respawn.js:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | stdio: 'inherit', 82 | windowsHide: true, > 83 | env: { 84 | ...process.env, 85 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets 90 | stdio: 'inherit', 91 | windowsHide: true, > 92 | env: { 93 | ...process.env, 94 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.10

3 findings
HIGH env-spread: lib/child_process/respawn.js:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | stdio: 'inherit', 82 | windowsHide: true, > 83 | env: { 84 | ...process.env, 85 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets 90 | stdio: 'inherit', 91 | windowsHide: true, > 92 | env: { 93 | ...process.env, 94 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.9

3 findings
HIGH env-spread: lib/child_process/respawn.js:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | stdio: 'inherit', 82 | windowsHide: true, > 83 | env: { 84 | ...process.env, 85 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets 90 | stdio: 'inherit', 91 | windowsHide: true, > 92 | env: { 93 | ...process.env, 94 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.8

3 findings
HIGH env-spread: lib/child_process/respawn.js:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | stdio: 'inherit', 82 | windowsHide: true, > 83 | env: { 84 | ...process.env, 85 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets 90 | stdio: 'inherit', 91 | windowsHide: true, > 92 | env: { 93 | ...process.env, 94 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.7

3 findings
HIGH env-spread: lib/child_process/respawn.js:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | stdio: 'inherit', 82 | windowsHide: true, > 83 | env: { 84 | ...process.env, 85 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets 90 | stdio: 'inherit', 91 | windowsHide: true, > 92 | env: { 93 | ...process.env, 94 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.6

4 findings
HIGH env-spread: lib/cjs/child_process/respawn.cjs:89 semgrep

Spreading entire process.env into an object — may capture all secrets 87 | stdio: 'inherit', 88 | windowsHide: true, > 89 | env: { 90 | ...process.env, 91 | NEVER_UNSHARE: 'true',

HIGH env-spread: lib/esm/child_process/respawn.js:84 semgrep

Spreading entire process.env into an object — may capture all secrets 82 | stdio: 'inherit', 83 | windowsHide: true, > 84 | env: { 85 | ...process.env, 86 | NEVER_UNSHARE: 'true',

HIGH env-spread: src/child_process/respawn.ts:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | stdio: 'inherit', 92 | windowsHide: true, > 93 | env: { 94 | ...process.env, 95 | NEVER_UNSHARE: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.