← Home

@noego/app

npm
23
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

shavyg2

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:deepmerge AI (phantom-deps): deepmerge is listed in dependencies; phantom-dep heuristic false positive for this package. ai
semgrep semgrep:env-spread AI (semgrep): Spreading process.env into child_process.spawn is standard CLI tooling; no exfiltration path. ai
typosquat typosquat.levenshtein:hapi AI (typosquat): Scoped package @noego/app is not a plausible typosquat of hapi; edit distance match is coincidental. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped package @noego/app is not a plausible typosquat of pg; edit distance match is coincidental. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped package @noego/app is not a plausible typosquat of yup; edit distance match is coincidental. ai
typosquat typosquat.levenshtein:ajv AI (typosquat): Scoped package @noego/app is not a plausible typosquat of ajv; edit distance match is coincidental. ai

Versions (showing 23 of 23)

Version Deps Published
0.0.34 10 / 3
0.0.33 10 / 3
0.0.32 10 / 3
0.0.31 10 / 3
0.0.30 10 / 3
0.0.28 8 / 3
0.0.27 8 / 1
0.0.26 8 / 1
0.0.25 8 / 1
0.0.24 8 / 1
0.0.23 8 / 1
0.0.22 7 / 1
0.0.21 7 / 1
0.0.20 7 / 1
0.0.19 7 / 1
0.0.9 4 / 1
0.0.7 3 / 0
0.0.6 3 / 0
0.0.5 3 / 0
0.0.4 3 / 0
0.0.3 3 / 0
0.0.2 3 / 0
0.0.1 3 / 0

v0.0.34

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.33

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.32

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.31

11 findings
HIGH env-spread: src/commands/dev.js:349 semgrep

Spreading entire process.env into an object — may capture all secrets 347 | 348 | // Set environment variables > 349 | const env = { 350 | ...process.env, 351 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:155 semgrep

Spreading entire process.env into an object — may capture all secrets 153 | child = spawn(process.execPath, args, { 154 | cwd: config.rootDir, > 155 | env: { ...process.env, NODE_ENV: 'development' }, 156 | stdio: 'inherit' 157 | });

HIGH env-spread: src/commands/serve.js:227 semgrep

Spreading entire process.env into an object — may capture all secrets 225 | const child = spawn(process.execPath, [viteBin], { 226 | cwd: config.ui.rootDir, > 227 | env: { ...process.env, NODE_ENV: 'development' }, 228 | stdio: 'inherit' 229 | });

HIGH env-spread: src/experimental-runtime/commands/experimental_serve_command.js:108 semgrep

Spreading entire process.env into an object — may capture all secrets 106 | }, 107 | cwd: config.rootDir, > 108 | env: { ...process.env, NODE_ENV: 'development' }, 109 | serviceName: 'backend', 110 | port: Number(config.dev.backendPort ?? config.dev.port ?? 3000)

HIGH env-spread: src/experimental-runtime/commands/experimental_serve_command.js:167 semgrep

Spreading entire process.env into an object — may capture all secrets 165 | runner: { executable: process.execPath, args: [viteBin] }, 166 | cwd: config.ui.rootDir, > 167 | env: { ...process.env, NODE_ENV: 'development' }, 168 | serviceName: 'frontend', 169 | port: Number(config.dev.port ?? 3000)

HIGH env-spread: src/experimental-runtime/dev/experimental_dev_command.js:248 semgrep

Spreading entire process.env into an object — may capture all secrets 246 | } 247 | baseEnv(configFilePath, rootDir) { > 248 | return { 249 | ...process.env, 250 | NODE_ENV: 'development',

HIGH env-spread: src/experimental/commands/experimental_serve_command.ts:121 semgrep

Spreading entire process.env into an object — may capture all secrets 119 | }, 120 | cwd: config.rootDir, > 121 | env: { ...process.env, NODE_ENV: 'development' }, 122 | serviceName: 'backend', 123 | port: Number(config.dev.backendPort ?? config.dev.port ?? 3000)

HIGH env-spread: src/experimental/commands/experimental_serve_command.ts:188 semgrep

Spreading entire process.env into an object — may capture all secrets 186 | runner: { executable: process.execPath, args: [viteBin] }, 187 | cwd: config.ui.rootDir, > 188 | env: { ...process.env, NODE_ENV: 'development' }, 189 | serviceName: 'frontend', 190 | port: Number(config.dev.port ?? 3000)

HIGH env-spread: src/experimental/dev/experimental_dev_command.ts:268 semgrep

Spreading entire process.env into an object — may capture all secrets 266 | 267 | private baseEnv(configFilePath: string, rootDir: string): NodeJS.ProcessEnv { > 268 | return { 269 | ...process.env, 270 | NODE_ENV: 'development',

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.30

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.28

11 findings
HIGH env-spread: src/commands/dev.js:349 semgrep

Spreading entire process.env into an object — may capture all secrets 347 | 348 | // Set environment variables > 349 | const env = { 350 | ...process.env, 351 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:155 semgrep

Spreading entire process.env into an object — may capture all secrets 153 | child = spawn(process.execPath, args, { 154 | cwd: config.rootDir, > 155 | env: { ...process.env, NODE_ENV: 'development' }, 156 | stdio: 'inherit' 157 | });

HIGH env-spread: src/commands/serve.js:227 semgrep

Spreading entire process.env into an object — may capture all secrets 225 | const child = spawn(process.execPath, [viteBin], { 226 | cwd: config.ui.rootDir, > 227 | env: { ...process.env, NODE_ENV: 'development' }, 228 | stdio: 'inherit' 229 | });

HIGH env-spread: src/experimental-runtime/commands/experimental_serve_command.js:108 semgrep

Spreading entire process.env into an object — may capture all secrets 106 | }, 107 | cwd: config.rootDir, > 108 | env: { ...process.env, NODE_ENV: 'development' }, 109 | serviceName: 'backend', 110 | port: Number(config.dev.backendPort ?? config.dev.port ?? 3000)

HIGH env-spread: src/experimental-runtime/commands/experimental_serve_command.js:167 semgrep

Spreading entire process.env into an object — may capture all secrets 165 | runner: { executable: process.execPath, args: [viteBin] }, 166 | cwd: config.ui.rootDir, > 167 | env: { ...process.env, NODE_ENV: 'development' }, 168 | serviceName: 'frontend', 169 | port: Number(config.dev.port ?? 3000)

HIGH env-spread: src/experimental-runtime/dev/experimental_dev_command.js:228 semgrep

Spreading entire process.env into an object — may capture all secrets 226 | } 227 | baseEnv(configFilePath, rootDir) { > 228 | return { 229 | ...process.env, 230 | NODE_ENV: 'development',

HIGH env-spread: src/experimental/commands/experimental_serve_command.ts:121 semgrep

Spreading entire process.env into an object — may capture all secrets 119 | }, 120 | cwd: config.rootDir, > 121 | env: { ...process.env, NODE_ENV: 'development' }, 122 | serviceName: 'backend', 123 | port: Number(config.dev.backendPort ?? config.dev.port ?? 3000)

HIGH env-spread: src/experimental/commands/experimental_serve_command.ts:188 semgrep

Spreading entire process.env into an object — may capture all secrets 186 | runner: { executable: process.execPath, args: [viteBin] }, 187 | cwd: config.ui.rootDir, > 188 | env: { ...process.env, NODE_ENV: 'development' }, 189 | serviceName: 'frontend', 190 | port: Number(config.dev.port ?? 3000)

HIGH env-spread: src/experimental/dev/experimental_dev_command.ts:248 semgrep

Spreading entire process.env into an object — may capture all secrets 246 | 247 | private baseEnv(configFilePath: string, rootDir: string): NodeJS.ProcessEnv { > 248 | return { 249 | ...process.env, 250 | NODE_ENV: 'development',

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.27

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.26

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.25

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.24

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.23

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.22

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.21

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.9

5 findings
HIGH env-spread: src/commands/dev.js:129 semgrep

Spreading entire process.env into an object — may capture all secrets 127 | 128 | // Set environment variables > 129 | const env = { 130 | ...process.env, 131 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:153 semgrep

Spreading entire process.env into an object — may capture all secrets 151 | child = spawn(process.execPath, args, { 152 | cwd: config.rootDir, > 153 | env: { ...process.env, NODE_ENV: 'development' }, 154 | stdio: 'inherit' 155 | });

HIGH env-spread: src/commands/serve.js:229 semgrep

Spreading entire process.env into an object — may capture all secrets 227 | const child = spawn(process.execPath, [viteBin], { 228 | cwd: config.ui.rootDir, > 229 | env: { ...process.env, NODE_ENV: 'development' }, 230 | stdio: 'inherit' 231 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.7

5 findings
HIGH env-spread: src/commands/dev.js:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | 92 | // Set environment variables > 93 | const env = { 94 | ...process.env, 95 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:153 semgrep

Spreading entire process.env into an object — may capture all secrets 151 | child = spawn(process.execPath, args, { 152 | cwd: config.rootDir, > 153 | env: { ...process.env, NODE_ENV: 'development' }, 154 | stdio: 'inherit' 155 | });

HIGH env-spread: src/commands/serve.js:229 semgrep

Spreading entire process.env into an object — may capture all secrets 227 | const child = spawn(process.execPath, [viteBin], { 228 | cwd: config.ui.rootDir, > 229 | env: { ...process.env, NODE_ENV: 'development' }, 230 | stdio: 'inherit' 231 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.6

5 findings
HIGH env-spread: src/commands/dev.js:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | 92 | // Set environment variables > 93 | const env = { 94 | ...process.env, 95 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.5

5 findings
HIGH env-spread: src/commands/dev.js:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | 92 | // Set environment variables > 93 | const env = { 94 | ...process.env, 95 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.4

5 findings
HIGH env-spread: src/commands/dev.js:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | 92 | // Set environment variables > 93 | const env = { 94 | ...process.env, 95 | NODE_ENV: 'development',

HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.3

4 findings
HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

4 findings
HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

4 findings
HIGH env-spread: src/commands/serve.js:134 semgrep

Spreading entire process.env into an object — may capture all secrets 132 | child = spawn(process.execPath, args, { 133 | cwd: config.rootDir, > 134 | env: { ...process.env, NODE_ENV: 'development' }, 135 | stdio: 'inherit' 136 | });

HIGH env-spread: src/commands/serve.js:206 semgrep

Spreading entire process.env into an object — may capture all secrets 204 | const child = spawn(process.execPath, [viteBin], { 205 | cwd: config.ui.rootDir, > 206 | env: { ...process.env, NODE_ENV: 'development' }, 207 | stdio: 'inherit' 208 | });

HIGH env-spread: src/utils/command.js:7 semgrep

Spreading entire process.env into an object — may capture all secrets 5 | const child = spawn(command, args, { 6 | cwd, > 7 | env: { ...process.env, ...env }, 8 | stdio: 'inherit', 9 | shell: false

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.