@n24q02m/better-email-mcp
Better MCP server for Email (IMAP/SMTP) with composite tools optimized for AI agents
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dll-hijacking-commands | AI (semgrep): Fires on minified bundle boilerplate (Object.create/defineProperty); no actual DLL side-loading present in this package. | ai | |
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): better-sqlite3 is a declared runtime dep added in this version; likely used via @n24q02m/mcp-core indirectly. | ai | |
| source-diff | encoded-string-file:bin/cli.mjs | AI (source-diff): Long strings are minified marked/bundled output, not obfuscated payloads; stable pattern for this package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI/CD with Sigstore attestation; stable signal for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Fires inside bundled marked.js library code, not package logic; stable false positive. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside bundled postcss/parser code in cli.mjs bundle; not package-authored code. | ai |
Versions (showing 51 of 68)
| Version | Deps | Published |
|---|---|---|
| 1.32.2 | 8 / 12 | |
| 1.32.1 | 8 / 12 | |
| 1.32.0 | 8 / 12 | |
| 1.31.3 | 8 / 12 | |
| 1.31.2 | 8 / 12 | |
| 1.31.1 | 8 / 12 | |
| 1.31.0 | 8 / 12 | |
| 1.30.0 | 8 / 12 | |
| 1.29.0 | 8 / 12 | |
| 1.28.0 | 8 / 12 | |
| 1.27.0 | 8 / 12 | |
| 1.26.3 | 8 / 12 | |
| 1.26.2 | 8 / 12 | |
| 1.26.1 | 8 / 12 | |
| 1.26.0 | 8 / 12 | |
| 1.25.2 | 8 / 12 | |
| 1.25.1 | 8 / 12 | |
| 1.25.0 | 8 / 12 | |
| 1.24.0 | 8 / 12 | |
| 1.23.9 | 8 / 12 | |
| 1.23.8 | 8 / 12 | |
| 1.23.7 | 8 / 12 | |
| 1.23.6 | 8 / 12 | |
| 1.23.5 | 8 / 12 | |
| 1.23.4 | 8 / 12 | |
| 1.23.2 | 8 / 12 | |
| 1.23.1 | 8 / 12 | |
| 1.23.0 | 8 / 12 | |
| 1.22.6 | 8 / 12 | |
| 1.22.5 | 8 / 12 | |
| 1.22.4 | 8 / 12 | |
| 1.22.3 | 9 / 12 | |
| 1.22.2 | 9 / 12 | |
| 1.22.1 | 9 / 12 | |
| 1.22.0 | 8 / 12 | |
| 1.21.0 | 10 / 13 | |
| 1.19.0 | 10 / 13 | |
| 1.17.0 | 10 / 13 | |
| 1.14.0 | 7 / 12 | |
| 1.13.0 | 7 / 12 | |
| 1.12.0 | 7 / 12 | |
| 1.11.0 | 7 / 12 | |
| 1.10.1 | 7 / 12 | |
| 1.10.0 | 7 / 12 | |
| 1.9.0 | 7 / 12 | |
| 1.8.0 | 7 / 12 | |
| 1.7.0 | 7 / 12 | |
| 1.6.0 | 7 / 12 | |
| 1.5.0 | 7 / 12 | |
| 1.4.7 | 6 / 11 | |
| 1.4.6 | 6 / 11 |
v1.32.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.31.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.31.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.9
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.8
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.6
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.5
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.4
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.2
3 findingsDLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/f9bcabac31c3d4eb5f70eacf7d0a91b11e9bdac3/bin/cli.mjs#L3 1 | #!/usr/bin/env node 2 | import { createRequire } from 'module';const require = createRequire(import.meta.url); > 3 | var g0=Object.create;var ei=Object.defineProperty;var m0=Object.getOwnPropertyDescriptor;var b0=Object.getOwnPropertyNam 4 | Visit: ${u.verificationUri} 5 | Enter code: ${u.userCode}
DLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/f9bcabac31c3d4eb5f70eacf7d0a91b11e9bdac3/bin/cli.mjs#L26 24 | ${i.relayUrl} 25 | `),rd(n,i).catch(()=>{}),or}catch{return console.error(`Cannot reach relay server. Set EMAIL_CREDENTIALS manually. > 26 | Format: email1:password1,email2:password2`),se="awaiting_setup",null}}async function rd(t,e){try{let{pollForResult:r,wri 27 | `).map(u=>{let s=u.match(r.other.beginningSpace);if(s===null)return u;let[a]=s;return a.length>=i.length?u.slice(i.lengt 28 | `)}function N(t,e){return xt.parse(t,e)}var vt,wt,kd,ae,Bd,Dd,Td,hr,_d,Si,co,lo,Od,Ei,Rd,ki,Nd,Md,on,Bi,Ld,Ao,Fd,Di,ro,P
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.1
3 findingsDLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/2068a39d0b1d2bb429c981da05cf2fe3692fea27/bin/cli.mjs#L3 1 | #!/usr/bin/env node 2 | import { createRequire } from 'module';const require = createRequire(import.meta.url); > 3 | var g0=Object.create;var ei=Object.defineProperty;var m0=Object.getOwnPropertyDescriptor;var b0=Object.getOwnPropertyNam 4 | Visit: ${u.verificationUri} 5 | Enter code: ${u.userCode}
DLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/2068a39d0b1d2bb429c981da05cf2fe3692fea27/bin/cli.mjs#L26 24 | ${i.relayUrl} 25 | `),rd(n,i).catch(()=>{}),or}catch{return console.error(`Cannot reach relay server. Set EMAIL_CREDENTIALS manually. > 26 | Format: email1:password1,email2:password2`),se="awaiting_setup",null}}async function rd(t,e){try{let{pollForResult:r,wri 27 | `).map(u=>{let s=u.match(r.other.beginningSpace);if(s===null)return u;let[a]=s;return a.length>=i.length?u.slice(i.lengt 28 | `)}function N(t,e){return xt.parse(t,e)}var vt,wt,kd,ae,Bd,Dd,Td,hr,_d,Si,co,lo,Od,Ei,Rd,ki,Nd,Md,on,Bi,Ld,Ao,Fd,Di,ro,P
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.0
3 findingsDLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/1134de5736283d128d133c857b2bf0d6cbf63ac6/bin/cli.mjs#L3 1 | #!/usr/bin/env node 2 | import { createRequire } from 'module';const require = createRequire(import.meta.url); > 3 | var g0=Object.create;var ei=Object.defineProperty;var m0=Object.getOwnPropertyDescriptor;var b0=Object.getOwnPropertyNam 4 | Visit: ${u.verificationUri} 5 | Enter code: ${u.userCode}
DLL side-loading command detected — potential DLL hijacking Source: https://github.com/n24q02m/better-email-mcp/blob/1134de5736283d128d133c857b2bf0d6cbf63ac6/bin/cli.mjs#L26 24 | ${i.relayUrl} 25 | `),rd(n,i).catch(()=>{}),or}catch{return console.error(`Cannot reach relay server. Set EMAIL_CREDENTIALS manually. > 26 | Format: email1:password1,email2:password2`),se="awaiting_setup",null}}async function rd(t,e){try{let{pollForResult:r,wri 27 | `).map(u=>{let s=u.match(r.other.beginningSpace);if(s===null)return u;let[a]=s;return a.length>=i.length?u.slice(i.lengt 28 | `)}function N(t,e){return xt.parse(t,e)}var vt,wt,kd,ae,Bd,Dd,Td,hr,_d,Si,co,lo,Od,Ei,Rd,ki,Nd,Md,on,Bi,Ld,Ao,Fd,Di,ro,P
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.