@nacho-iot/js-tools Apache-2.0 8 versions

@nacho-iot/js-tools

npm Repository Homepage

Build, run, and versioning tooling for TypeScript projects and monorepos

8

Versions

Apache-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

lauckhart

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Intentional pattern for subprocess execution helper; merging process.env with caller overrides is the documented use case.	ai	2026/05/12
phantom-deps	phantom-dep:type-fest	AI (phantom-deps): Dev/doc tooling dependency referenced in config files only; stable false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:@microsoft/tsdoc	AI (phantom-deps): Doc tooling dependency referenced in config files only; stable false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:typedoc-github-theme	AI (phantom-deps): Doc tooling dependency referenced in config files only; stable false positive for this package.	ai	2026/05/12
phantom-deps	phantom-dep:@typescript/native-preview	AI (phantom-deps): Build tooling dependency referenced in config files only; stable false positive for this package.	ai	2026/05/12

Versions (showing 8 of 8)

Version	Deps	Published
0.1.7	11 / 2	2026-05-08
0.1.6	11 / 2	2026-05-08
0.1.5	11 / 2	2026-05-07
0.1.4	11 / 2	2026-05-03
0.1.3	11 / 2	2026-04-20
0.1.2	11 / 2	2026-04-19
0.1.1	11 / 2	2026-04-19
0.1.0	11 / 2	2026-04-19

v0.1.7

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.6

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.5

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.4

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.3

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

2 findings

HIGH env-spread: src/running/execute.ts:28 semgrep

Spreading entire process.env into an object — may capture all secrets 26 | } 27 | if (env !== undefined) { > 28 | spawnOptions.env = { ...process.env, ...env }; 29 | } 30 | if (cwd !== undefined) {

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

2 findings

HIGH env-spread: src/running/execute.ts:23 semgrep

Spreading entire process.env into an object — may capture all secrets 21 | } 22 | if (env !== undefined) { > 23 | options.env = { ...process.env, ...env }; 24 | } 25 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

2 findings

HIGH env-spread: src/running/execute.ts:23 semgrep

Spreading entire process.env into an object — may capture all secrets 21 | } 22 | if (env !== undefined) { > 23 | options.env = { ...process.env, ...env }; 24 | } 25 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.