@leeguoo/mailbox-cli
Mailbox CLI (binary distribution)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is intentional: passes current env to spawned binary subprocess, standard launcher pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used solely to spawn the platform-specific binary; expected for a binary distribution wrapper. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads optional platform-specific binary packages by name; standard pattern for cross-platform binary distribution. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 2.10.1 | 0 / 0 | |
| 2.10.0 | 0 / 0 | |
| 2.9.5 | 0 / 0 | |
| 2.9.4 | 0 / 0 | |
| 2.9.3 | 0 / 0 | |
| 2.9.2 | 0 / 0 | |
| 2.9.1 | 0 / 0 | |
| 2.9.0 | 0 / 0 | |
| 2.8.5 | 0 / 0 | |
| 2.8.4 | 0 / 0 | |
| 2.8.3 | 0 / 0 | |
| 2.8.2 | 0 / 0 | |
| 2.8.1 | 0 / 0 | |
| 2.0.8 | 0 / 0 | |
| 2.0.7 | 0 / 0 | |
| 2.0.4 | 0 / 0 | |
| 2.0.3 | 0 / 0 | |
| 2.0.1 | 0 / 0 |
v2.10.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/5d0c3cf68b930ffaa357b1a0e0584219cb438596/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/e841be13e12bc382194258a8002aff0c7672ce3d/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/0f60f7dc10b57fd1a6f22bb4a1d37517460cd21a/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/fc43625dc8c39d26cd41b875a9d888271d62527b/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/e8646e82aa142cd45629fe8deccc055e4a6226b9/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/594f311d61df96333b63a4d9bce8a51eacd11f76/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/4275063aa84043a0755d3c65c581faad2c752ad5/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/9454cad99ee818ab6390919ca6b5f906d8ebeece/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/98130b7a55c0f66b204c5a7a823b6e50acffe6ae/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/c9e97d23a9c77eb25c3c6e2284bd3658e1b8738d/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/03f062ccbef0f1f4a5e8a9e365ba5fa527416768/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/Mailbox/blob/071b2e7a5ae73cf7cf4eb807d3ddbd5c49b13d14/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.8
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/leeguooooo/email-mcp-service/blob/caa2ce260176550b45c8534df5f47fe95a6a6b98/bin/mailbox.js#L58 56 | 57 | const args = process.argv.slice(2); > 58 | const env = { ...process.env }; 59 | if (launcherVersion) env.MAILBOX_CLI_VERSION = launcherVersion; 60 | const r = spawnSync(binaryPath, args, { stdio: "inherit", env });
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.