@jskit-ai/jskit-cli
Bundle and package orchestration CLI for JSKIT apps.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Standard pattern for spawning child processes with inherited env; expected in a CLI tool. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1:3000 is a localhost dev-server URL, not an external IP. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes stored file content for undo/restore logic; not a payload-hiding pattern. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.2.97 | 5 / 0 | |
| 0.2.96 | 5 / 0 | |
| 0.2.92 | 5 / 0 | |
| 0.2.91 | 5 / 0 | |
| 0.2.90 | 5 / 0 | |
| 0.2.89 | 5 / 0 | |
| 0.2.88 | 5 / 0 | |
| 0.2.87 | 5 / 0 | |
| 0.2.86 | 5 / 0 | |
| 0.2.85 | 5 / 0 | |
| 0.2.84 | 5 / 0 | |
| 0.2.83 | 5 / 0 | |
| 0.2.82 | 5 / 0 | |
| 0.2.81 | 3 / 0 | |
| 0.2.80 | 3 / 0 | |
| 0.2.79 | 3 / 0 | |
| 0.2.78 | 3 / 0 | |
| 0.2.77 | 3 / 0 | |
| 0.2.76 | 3 / 0 | |
| 0.2.75 | 3 / 0 | |
| 0.2.74 | 3 / 0 | |
| 0.2.51 | 3 / 0 | |
| 0.2.42 | 2 / 0 | |
| 0.2.41 | 2 / 0 | |
| 0.2.40 | 2 / 0 | |
| 0.2.39 | 2 / 0 | |
| 0.2.38 | 2 / 0 | |
| 0.2.37 | 2 / 0 | |
| 0.2.36 | 2 / 0 | |
| 0.2.34 | 2 / 0 | |
| 0.2.33 | 2 / 0 | |
| 0.2.32 | 2 / 0 | |
| 0.2.31 | 2 / 0 | |
| 0.2.30 | 2 / 0 | |
| 0.2.29 | 2 / 0 | |
| 0.2.28 | 2 / 0 | |
| 0.2.27 | 1 / 0 | |
| 0.2.26 | 1 / 0 | |
| 0.2.25 | 1 / 0 | |
| 0.2.24 | 1 / 0 | |
| 0.2.23 | 1 / 0 | |
| 0.2.22 | 1 / 0 | |
| 0.2.21 | 1 / 0 | |
| 0.2.20 | 1 / 0 | |
| 0.2.19 | 1 / 0 | |
| 0.2.17 | 1 / 0 | |
| 0.2.16 | 1 / 0 | |
| 0.2.14 | 1 / 0 | |
| 0.2.13 | 1 / 0 | |
| 0.2.11 | 1 / 0 | |
| 0.2.10 | 1 / 0 |
v0.2.97
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.96
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.92
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.91
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.90
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.89
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.88
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.87
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.86
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.85
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.84
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.83
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.82
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.81
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.80
7 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Spreading entire process.env into an object — may capture all secrets 44 | const result = await execFileAsync(command, args, { 45 | cwd, > 46 | env: { 47 | ...process.env, 48 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.79
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.78
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.77
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.76
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 258 | notFoundMessage = "" 259 | } = {}) { > 260 | const spawnedEnv = { 261 | ...process.env, 262 | ...env
Spreading entire process.env into an object — may capture all secrets 374 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 375 | const inheritedPath = String(process.env.PATH || ""); > 376 | const spawnedEnv = { 377 | ...process.env, 378 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.75
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 299 | notFoundMessage = "" 300 | } = {}) { > 301 | const spawnedEnv = { 302 | ...process.env, 303 | ...env
Spreading entire process.env into an object — may capture all secrets 415 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 416 | const inheritedPath = String(process.env.PATH || ""); > 417 | const spawnedEnv = { 418 | ...process.env, 419 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.74
6 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Spreading entire process.env into an object — may capture all secrets 96 | encoding: "utf8", 97 | shell: true, > 98 | env: { 99 | ...process.env, 100 | ...env
Spreading entire process.env into an object — may capture all secrets 270 | notFoundMessage = "" 271 | } = {}) { > 272 | const spawnedEnv = { 273 | ...process.env, 274 | ...env
Spreading entire process.env into an object — may capture all secrets 386 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 387 | const inheritedPath = String(process.env.PATH || ""); > 388 | const spawnedEnv = { 389 | ...process.env, 390 | ...env,
Spreading entire process.env into an object — may capture all secrets 95 | const localBinDirectory = pathModule.join(appRoot, "node_modules", ".bin"); 96 | const inheritedPath = String(process.env.PATH || ""); > 97 | const spawnedEnv = { 98 | ...process.env, 99 | PATH: `${localBinDirectory}${pathModule.delimiter}${inheritedPath}`
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.51
2 findingsSpreading entire process.env into an object — may capture all secrets 67 | cwd: cwd || process.cwd(), 68 | encoding: "utf8", > 69 | env: { 70 | ...process.env, 71 | ...env
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.