@openscout/web
Standalone lightweight Scout web UI with its own bundled Bun server
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/client/assets/arc.es-B2XMIUBi.js | AI (source-diff): Standard Vite minified bundle; sample shows readable React/UI code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-DiSMCren.js | AI (source-diff): Standard Vite minified bundle; sample shows readable React runtime code, not obfuscation. | ai | |
| phantom-deps | phantom-dep:lucide-react | AI (phantom-deps): Imported inside bundled client assets, not raw source; phantom-dep is FP. | ai | |
| phantom-deps | phantom-dep:@voxd/client | AI (phantom-deps): Imported inside bundled client assets; phantom-dep is FP. | ai | |
| phantom-deps | phantom-dep:ai | AI (phantom-deps): Used in server build output; phantom-dep is FP. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Used in server code; phantom-dep is FP. | ai | |
| phantom-deps | phantom-dep:node-pty | AI (phantom-deps): Used in terminal relay server build; phantom-dep is FP. | ai | |
| source-diff | obfuscated-file:dist/client/assets/arc.es-DglF81f4.js | AI (source-diff): Vite production bundle of @arach/arc UI library; minification is expected. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-BRvY3oC-.js | AI (source-diff): Vite production bundle containing React runtime; standard minified output. | ai | |
| source-diff | obfuscated-file:dist/client/assets/index-TVkH_WDG.js | AI (source-diff): Bundled @voxd/client SDK talking to localhost; standard minified output. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/react | AI (phantom-deps): Imported inside bundled client assets; phantom-dep is FP. | ai | |
| phantom-deps | phantom-dep:uqr | AI (phantom-deps): uqr is a declared dependency bundled via Vite for QR code generation; not directly imported in scanned source but legitimately used in the compiled dist output. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread in bin/openscout-web.mjs is a CLI launcher pattern forwarding process.env to a subprocess — no exfiltration, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): react is a declared dependency bundled via Vite; not directly imported in scanned source but legitimately used in the compiled dist output. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): react-dom is a declared dependency bundled via Vite; same rationale as react phantom-dep finding. | ai |
Versions (showing 46 of 46)
| Version | Deps | Published |
|---|---|---|
| 0.2.64 | 10 / 19 | |
| 0.2.63 | 10 / 19 | |
| 0.2.62 | 9 / 18 | |
| 0.2.61 | 9 / 18 | |
| 0.2.60 | 9 / 18 | |
| 0.2.58 | 8 / 18 | |
| 0.2.57 | 8 / 18 | |
| 0.2.56 | 8 / 18 | |
| 0.2.55 | 8 / 18 | |
| 0.2.54 | 8 / 18 | |
| 0.2.53 | 8 / 18 | |
| 0.2.52 | 8 / 18 | |
| 0.2.51 | 8 / 18 | |
| 0.2.50 | 8 / 18 | |
| 0.2.49 | 8 / 18 | |
| 0.2.48 | 8 / 18 | |
| 0.2.47 | 5 / 18 | |
| 0.2.46 | 5 / 18 | |
| 0.2.45 | 5 / 17 | |
| 0.2.44 | 5 / 17 | |
| 0.2.43 | 5 / 17 | |
| 0.2.42 | 5 / 17 | |
| 0.2.41 | 5 / 17 | |
| 0.2.40 | 5 / 17 | |
| 0.2.39 | 3 / 15 | |
| 0.2.38 | 3 / 15 | |
| 0.2.37 | 3 / 15 | |
| 0.2.36 | 3 / 15 | |
| 0.2.35 | 3 / 15 | |
| 0.2.34 | 3 / 15 | |
| 0.2.33 | 3 / 15 | |
| 0.2.32 | 3 / 15 | |
| 0.2.31 | 3 / 15 | |
| 0.2.30 | 3 / 15 | |
| 0.2.29 | 3 / 15 | |
| 0.2.25 | 3 / 15 | |
| 0.2.24 | 3 / 15 | |
| 0.2.23 | 3 / 15 | |
| 0.2.22 | 3 / 15 | |
| 0.2.21 | 3 / 15 | |
| 0.2.20 | 3 / 6 | |
| 0.2.19 | 3 / 6 | |
| 0.2.18 | 3 / 6 | |
| 0.2.17 | 3 / 6 | |
| 0.2.16 | 3 / 6 | |
| 0.2.14 | 3 / 6 |
v0.2.64
5 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: arach.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.63
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.62
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.60
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.58
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.57
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.56
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.55
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.54
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.53
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.52
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.51
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.50
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.49
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.48
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.47
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.46
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.45
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.44
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.43
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.42
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.41
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.40
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.39
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.38
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.37
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.36
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.35
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.34
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.33
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.32
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.31
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.30
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.29
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.25
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.24
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.23
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.22
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.21
2 findingsSpreading entire process.env into an object — may capture all secrets 52 | } 53 | > 54 | const env = { ...process.env }; 55 | 56 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.20
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.19
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.18
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.17
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.16
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.14
2 findingsSpreading entire process.env into an object — may capture all secrets 81 | 82 | const forwardArgs = []; > 83 | const env = { ...process.env }; 84 | 85 | for (let i = 0; i < argv.length; i++) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.