← Home

@openscout/runtime

npm

Local runtime foundation for the OpenScout control plane

61
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arach

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:shady-links-raw-ip AI (semgrep): All raw-IP hits are localhost (127.0.0.1) in test files — not production exfiltration. ai
semgrep semgrep:base64-decode AI (semgrep): Decodes a PEM private key from base64 in mobile-push.ts — standard crypto key handling. ai
semgrep semgrep:env-spread AI (semgrep): env-spread occurs only in test files (broker-daemon.test.ts), passing inherited env to a subprocess under test — standard test harness pattern, not a production secret exfiltration risk. ai

Versions (showing 61 of 61)

Version Deps Published
0.2.64 7 / 4
0.2.63 7 / 4
0.2.62 4 / 3
0.2.61 4 / 3
0.2.60 4 / 3
0.2.58 4 / 3
0.2.57 4 / 3
0.2.56 4 / 3
0.2.55 4 / 3
0.2.54 4 / 3
0.2.53 4 / 3
0.2.52 4 / 3
0.2.51 4 / 3
0.2.50 4 / 3
0.2.49 4 / 3
0.2.48 4 / 3
0.2.47 4 / 3
0.2.46 4 / 3
0.2.45 2 / 2
0.2.44 2 / 2
0.2.43 2 / 2
0.2.42 2 / 2
0.2.41 2 / 2
0.2.40 2 / 2
0.2.39 2 / 2
0.2.38 2 / 2
0.2.37 2 / 2
0.2.36 2 / 2
0.2.35 2 / 2
0.2.34 2 / 2
0.2.33 2 / 2
0.2.32 2 / 2
0.2.31 2 / 2
0.2.30 2 / 2
0.2.29 2 / 2
0.2.28 2 / 2
0.2.27 2 / 2
0.2.26 2 / 2
0.2.25 2 / 2
0.2.24 2 / 2
0.2.23 2 / 2
0.2.22 2 / 2
0.2.21 2 / 2
0.2.20 2 / 2
0.2.19 2 / 2
0.2.18 2 / 2
0.2.17 2 / 2
0.2.16 2 / 2
0.2.15 2 / 2
0.2.13 2 / 2
0.2.12 2 / 2
0.2.11 2 / 2
0.2.10 1 / 2
0.2.8 1 / 2
0.2.6 1 / 2
0.2.5 1 / 2
0.2.4 1 / 2
0.2.2 1 / 2
0.2.0 1 / 2
0.1.1 1 / 2
0.1.0 1 / 2

v0.2.64

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: arach.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.63

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.62

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.61

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.60

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.58

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.57

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.56

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.55

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.54

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.53

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.52

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.51

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.50

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.49

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.48

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.47

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.46

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.45

3 findings
HIGH env-spread: src/broker-daemon.test.ts:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | cmd: ["bun", "run", "src/broker-daemon.ts"], 43 | cwd: runtimeDir, > 44 | env: { 45 | ...process.env, 46 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.44

3 findings
HIGH env-spread: src/broker-daemon.test.ts:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | cmd: ["bun", "run", "src/broker-daemon.ts"], 43 | cwd: runtimeDir, > 44 | env: { 45 | ...process.env, 46 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.43

3 findings
HIGH env-spread: src/broker-daemon.test.ts:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | cmd: ["bun", "run", "src/broker-daemon.ts"], 43 | cwd: runtimeDir, > 44 | env: { 45 | ...process.env, 46 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.42

3 findings
HIGH env-spread: src/broker-daemon.test.ts:44 semgrep

Spreading entire process.env into an object — may capture all secrets 42 | cmd: ["bun", "run", "src/broker-daemon.ts"], 43 | cwd: runtimeDir, > 44 | env: { 45 | ...process.env, 46 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.41

3 findings
HIGH env-spread: src/broker-daemon.test.ts:39 semgrep

Spreading entire process.env into an object — may capture all secrets 37 | cmd: ["bun", "run", "src/broker-daemon.ts"], 38 | cwd: runtimeDir, > 39 | env: { 40 | ...process.env, 41 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.40

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.39

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:410 semgrep

Spreading entire process.env into an object — may capture all secrets 408 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 409 | const result = spawnSync(command, args, { > 410 | env: { 411 | ...process.env, 412 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.38

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:383 semgrep

Spreading entire process.env into an object — may capture all secrets 381 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 382 | const result = spawnSync(command, args, { > 383 | env: { 384 | ...process.env, 385 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.37

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:360 semgrep

Spreading entire process.env into an object — may capture all secrets 358 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 359 | const result = spawnSync(command, args, { > 360 | env: { 361 | ...process.env, 362 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.36

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.35

4 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: arach.

HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.34

4 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: arach.

HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.33

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.32

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.31

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.30

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.29

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.28

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.27

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.26

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.25

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.24

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.23

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.22

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.21

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.20

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.19

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.18

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.17

3 findings
HIGH env-spread: src/broker-daemon.test.ts:38 semgrep

Spreading entire process.env into an object — may capture all secrets 36 | cmd: ["bun", "run", "src/broker-daemon.ts"], 37 | cwd: runtimeDir, > 38 | env: { 39 | ...process.env, 40 | OPENSCOUT_CONTROL_HOME: controlHome,

HIGH env-spread: src/broker-service.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | function runCommand(command: string, args: string[], options?: { allowFailure?: boolean; env?: Record<string, string> }) 354 | const result = spawnSync(command, args, { > 355 | env: { 356 | ...process.env, 357 | ...(options?.env ?? {}),

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.