← Home

@mcpc-tech/acp-ai-provider

npm Repository Homepage
51
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

yaonyan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Pattern is used for subprocess env construction (spread base env + config overrides); not exfiltration. Stable for this package. ai

Versions (showing 51 of 62)

View all versions
Version Deps Published
0.3.3 6 / 0
0.3.2 6 / 0
0.3.1 6 / 0
0.3.0 5 / 0
0.2.9 5 / 0
0.2.8 5 / 0
0.2.7 5 / 0
0.2.6 5 / 0
0.2.5 5 / 0
0.2.4 5 / 0
0.2.3 5 / 0
0.2.2 4 / 0
0.2.1 4 / 0
0.2.0 4 / 0
0.1.59 6 / 0
0.1.58 6 / 0
0.1.57 5 / 0
0.1.56 5 / 0
0.1.55 5 / 0
0.1.54 5 / 0
0.1.53 5 / 0
0.1.52 5 / 0
0.1.51 5 / 0
0.1.50 5 / 0
0.1.49 5 / 0
0.1.47 4 / 0
0.1.46 4 / 0
0.1.45 4 / 0
0.1.44 4 / 0
0.1.43 4 / 0
0.1.42 4 / 0
0.1.41 4 / 0
0.1.40 4 / 0
0.1.39 4 / 0
0.1.38 4 / 0
0.1.37 4 / 0
0.1.36 4 / 0
0.1.35 4 / 0
0.1.34 4 / 0
0.1.33 4 / 0
0.1.32 3 / 0
0.1.31 4 / 0
0.1.30 4 / 0
0.1.29 4 / 0
0.1.28 4 / 0
0.1.27 4 / 0
0.1.25 4 / 0
0.1.24 4 / 0
0.1.23 4 / 0
0.1.21 4 / 0
0.1.20 4 / 0

v0.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.8

2 findings
HIGH env-spread: index.mjs:710 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/abd8d50fef101dd7b930bc612f7131baa8151738/index.mjs#L710 708 | "inherit" 709 | ], > 710 | env: { 711 | ...process.env, 712 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.7

2 findings
HIGH env-spread: index.mjs:710 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/8be80a60c4f89d06c786e3340d15c056436d9606/index.mjs#L710 708 | "inherit" 709 | ], > 710 | env: { 711 | ...process.env, 712 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.6

2 findings
HIGH env-spread: index.mjs:710 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/e50a97fc70dff9ce5d5b9c31968c57b31fc4d860/index.mjs#L710 708 | "inherit" 709 | ], > 710 | env: { 711 | ...process.env, 712 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.5

2 findings
HIGH env-spread: index.mjs:703 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/3300ff33d54c0dda205859694533938ad067cbde/index.mjs#L703 701 | "inherit" 702 | ], > 703 | env: { 704 | ...process.env, 705 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.4

2 findings
HIGH env-spread: index.mjs:660 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/6ea5e1c820911c9452279bc9ca74752c50b45bb5/index.mjs#L660 658 | "inherit" 659 | ], > 660 | env: { 661 | ...process.env, 662 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.3

2 findings
HIGH env-spread: index.mjs:610 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/17239ac4b0913abff138f6c04d30a7576848ad40/index.mjs#L610 608 | "inherit" 609 | ], > 610 | env: { 611 | ...process.env, 612 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.2

2 findings
HIGH env-spread: index.mjs:601 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/512656ed384f055a09a8afb15987c83c84560058/index.mjs#L601 599 | "inherit" 600 | ], > 601 | env: { 602 | ...process.env, 603 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

2 findings
HIGH env-spread: index.mjs:601 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/b782ff1895f38ec36bacb565f54fcffb33081936/index.mjs#L601 599 | "inherit" 600 | ], > 601 | env: { 602 | ...process.env, 603 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

2 findings
HIGH env-spread: index.mjs:589 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/a647395533fe24247ccc0e961322b1ff23577bce/index.mjs#L589 587 | "inherit" 588 | ], > 589 | env: { 590 | ...process.env, 591 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.59

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.58

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.57

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.56

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.55

2 findings
HIGH env-spread: index.mjs:698 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/1ea0efee73d0677fb90c373b59c1f4b00e236fb9/index.mjs#L698 696 | "inherit" 697 | ], > 698 | env: { 699 | ...process.env, 700 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.54

2 findings
HIGH env-spread: index.mjs:698 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/2230b5b5ac9de34173c2e1a1bf47a29569372ad5/index.mjs#L698 696 | "inherit" 697 | ], > 698 | env: { 699 | ...process.env, 700 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.53

2 findings
HIGH env-spread: index.mjs:698 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/614c0dcb2c1d3c694c6181c981447bfb8a57f3ec/index.mjs#L698 696 | "inherit" 697 | ], > 698 | env: { 699 | ...process.env, 700 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.52

2 findings
HIGH env-spread: index.mjs:663 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/3a9f387b41bd37e1f6de9402b1479e1656cf8bf7/index.mjs#L663 661 | "inherit" 662 | ], > 663 | env: { 664 | ...process.env, 665 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.51

2 findings
HIGH env-spread: index.mjs:663 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/50b56c322525e26350cf2ea2e3978099a726ea9a/index.mjs#L663 661 | "inherit" 662 | ], > 663 | env: { 664 | ...process.env, 665 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.50

2 findings
HIGH env-spread: index.mjs:649 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/1fa30d6c4b3ec74868eebe8614de64d9fc886305/index.mjs#L649 647 | "inherit" 648 | ], > 649 | env: { 650 | ...process.env, 651 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.49

2 findings
HIGH env-spread: index.mjs:599 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/273ae3d676229b41eee558441ad344def9bbe3c9/index.mjs#L599 597 | "inherit" 598 | ], > 599 | env: { 600 | ...process.env, 601 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.47

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/f4a510367980fa122888484aa3b42023625c655b/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.46

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/3c2724029edcd064c4a0ec232ec38ae3066698d2/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.45

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/89173db889041f6ba8bcff07a93a99f6b3530bb2/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.44

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/e29d2ef3b3f73c20e7fef8b73eedad560a92e708/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.43

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/6ebb169266676d49d73aa0f29c21f0caa86cf861/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.42

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/6ec2218f822ced4ad74b0e916f4845ad70494d8c/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.41

2 findings
HIGH env-spread: index.mjs:590 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/8fd7e6bf2dc5874fadd7ea54b766682a5e75f107/index.mjs#L590 588 | "inherit" 589 | ], > 590 | env: { 591 | ...process.env, 592 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.40

2 findings
HIGH env-spread: index.mjs:595 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/424520ed6572e9edcf498ffe7176ce6ed3f46a12/index.mjs#L595 593 | "inherit" 594 | ], > 595 | env: { 596 | ...process.env, 597 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.39

2 findings
HIGH env-spread: index.mjs:584 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/aadade4e36ad8be05730bf912700f4bbf98cbefb/index.mjs#L584 582 | "inherit" 583 | ], > 584 | env: { 585 | ...process.env, 586 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.38

2 findings
HIGH env-spread: index.mjs:579 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/7447fe5c1147a8c508de6b8b9124c4293c1b7d66/index.mjs#L579 577 | "inherit" 578 | ], > 579 | env: { 580 | ...process.env, 581 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.37

2 findings
HIGH env-spread: index.mjs:579 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/935f9b331746970f56162b2913bf84c88aa604ad/index.mjs#L579 577 | "inherit" 578 | ], > 579 | env: { 580 | ...process.env, 581 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.36

2 findings
HIGH env-spread: index.mjs:579 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/e6d515e05ee8c406ce7e28dcb5711ca57d2330dc/index.mjs#L579 577 | "inherit" 578 | ], > 579 | env: { 580 | ...process.env, 581 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.35

2 findings
HIGH env-spread: index.mjs:578 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/f2189da25bbadbc0aa84fe0f63150e46f0a59089/index.mjs#L578 576 | "inherit" 577 | ], > 578 | env: { 579 | ...process.env, 580 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.34

2 findings
HIGH env-spread: index.mjs:570 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/98bcf07a8bcfc37110663e0895890049d5a0b7c7/index.mjs#L570 568 | "inherit" 569 | ], > 570 | env: { 571 | ...process.env, 572 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.33

2 findings
HIGH env-spread: index.mjs:570 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/50eff3497947af4eced442e77086fe6c868fa384/index.mjs#L570 568 | "inherit" 569 | ], > 570 | env: { 571 | ...process.env, 572 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.32

2 findings
HIGH env-spread: index.mjs:536 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/8d3c966b77e829034aa561d9976820ab02093905/index.mjs#L536 534 | "inherit" 535 | ], > 536 | env: { 537 | ...process.env, 538 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.31

2 findings
HIGH env-spread: index.mjs:542 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/5eda3ba089c6e5c5f6da347ca2968e19df292505/index.mjs#L542 540 | "inherit" 541 | ], > 542 | env: { 543 | ...process.env, 544 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.30

2 findings
HIGH env-spread: index.mjs:540 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/9bc628b1b48ea9a3c2a39ce3e96ec56c2abff2ff/index.mjs#L540 538 | "inherit" 539 | ], > 540 | env: { 541 | ...process.env, 542 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.29

2 findings
HIGH env-spread: index.mjs:540 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/36a1a9f4869cbdc95f4b4061e486f623bcc83aed/index.mjs#L540 538 | "inherit" 539 | ], > 540 | env: { 541 | ...process.env, 542 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.28

2 findings
HIGH env-spread: index.mjs:536 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/8b4f3e13abbf3b95104a629113fcf2eae6bf2483/index.mjs#L536 534 | "inherit" 535 | ], > 536 | env: { 537 | ...process.env, 538 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.27

2 findings
HIGH env-spread: index.mjs:527 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/dec580d1e87a9a47ccd7c84fdd7e7560c313658b/index.mjs#L527 525 | "inherit" 526 | ], > 527 | env: { 528 | ...process.env, 529 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.25

2 findings
HIGH env-spread: index.mjs:203 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/ed7b7b33810cc4c6031f78266664fd6c6b6fe92c/index.mjs#L203 201 | "inherit" 202 | ], > 203 | env: { 204 | ...process.env, 205 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.24

2 findings
HIGH env-spread: index.mjs:203 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/a11e5cf17920a6cd18e614889be2e372c6e02a83/index.mjs#L203 201 | "inherit" 202 | ], > 203 | env: { 204 | ...process.env, 205 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.23

2 findings
HIGH env-spread: index.mjs:203 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/0a2e4eab5b2cbb9701fc9d5b6d952ab2f63b7892/index.mjs#L203 201 | "inherit" 202 | ], > 203 | env: { 204 | ...process.env, 205 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.21

2 findings
HIGH env-spread: index.mjs:220 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/0be82ab21a70ce1b370ca0bf3913ea25f34b072e/index.mjs#L220 218 | "inherit" 219 | ], > 220 | env: { 221 | ...process.env, 222 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.20

2 findings
HIGH env-spread: index.mjs:220 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mcpc-tech/mcpc/blob/18d84dacbfa7d3f1d75ddd07a16d90e0b96b5d75/index.mjs#L220 218 | "inherit" 219 | ], > 220 | env: { 221 | ...process.env, 222 | ...this.config.env

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.