← Home

@ossy/app

npm

Server-side rendering runtime and build tooling for Ossy apps.

51
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

oskarssylwan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@ossy/connected-components AI (phantom-deps): Same-org scoped packages used as peer/framework deps; not directly imported by convention. ai
phantom-deps phantom-dep:rollup-plugin-postcss-modules AI (phantom-deps): Referenced in rollup config files; standard build-tool pattern. ai
phantom-deps phantom-dep:@ossy/sdk AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. ai
phantom-deps phantom-dep:cookie-parser AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. ai
phantom-deps phantom-dep:terser AI (phantom-deps): Build tool dep loaded via config; stable false positive. ai
phantom-deps phantom-dep:morgan AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. ai
phantom-deps phantom-dep:express AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. ai
phantom-deps phantom-dep:@ossy/router AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. ai
phantom-deps phantom-dep:babel-loader AI (phantom-deps): Referenced in config files; standard for build framework packages. ai
phantom-deps phantom-dep:@babel/preset-react AI (phantom-deps): Framework-scoped; loaded by convention. ai
phantom-deps phantom-dep:@ossy/sdk-react AI (phantom-deps): Same-org package; declared for consumer use. ai
phantom-deps phantom-dep:rollup-plugin-dts AI (phantom-deps): Referenced in config files; standard for build framework packages. ai
phantom-deps phantom-dep:@ossy/router-react AI (phantom-deps): Same-org package; declared for consumer use. ai
phantom-deps phantom-dep:rollup-plugin-delete AI (phantom-deps): Referenced in config files; standard for build framework packages. ai
phantom-deps phantom-dep:@rollup/plugin-typescript AI (phantom-deps): Framework-scoped; loaded by convention. ai
phantom-deps phantom-dep:@babel/register AI (phantom-deps): Framework-scoped; loaded by convention not direct import. ai
phantom-deps phantom-dep:@ossy/design-system AI (phantom-deps): Same-org package; declared for consumer use. ai
phantom-deps phantom-dep:@babel/eslint-parser AI (phantom-deps): Framework-scoped; loaded by convention. ai
phantom-deps phantom-dep:@rollup/plugin-alias AI (phantom-deps): Framework-scoped; loaded by convention. ai
phantom-deps phantom-dep:@babel/cli AI (phantom-deps): Build framework package; plugins/presets declared for downstream consumer use. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Build framework package; declared for downstream consumer use. ai
phantom-deps phantom-dep:@ossy/pages AI (phantom-deps): Same-org package bundled as runtime dep for consumers. ai
phantom-deps phantom-dep:@ossy/themes AI (phantom-deps): Same-org package bundled as runtime dep for consumers. ai
semgrep semgrep:env-spread AI (semgrep): env-spread is in a dev CLI tool spawning a child process; standard pattern for dev servers passing environment through. ai
typosquat typosquat.levenshtein:ajv AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of ajv. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of yup. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of pg. ai
typosquat typosquat.levenshtein:hapi AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of hapi. ai

Versions (showing 51 of 103)

View all versions
Version Deps Published
1.16.11 38 / 3
1.16.5 38 / 3
1.16.3 38 / 3
1.16.0 38 / 3
1.11.7 37 / 3
1.11.1 37 / 3
1.11.0 37 / 3
1.0.6 0 / 3
1.0.5 0 / 3
1.0.4 0 / 3
1.0.3 0 / 3
1.0.2 0 / 3
1.0.1 0 / 3
0.15.13 0 / 3
0.15.12 0 / 3
0.15.11 0 / 3
0.15.10 0 / 3
0.15.9 0 / 3
0.15.8 0 / 3
0.15.7 0 / 3
0.15.6 0 / 3
0.15.5 0 / 3
0.15.4 0 / 3
0.15.3 0 / 3
0.15.1 0 / 3
0.15.0 0 / 3
0.14.1 0 / 3
0.14.0 0 / 3
0.13.4 0 / 3
0.13.3 0 / 3
0.13.2 0 / 3
0.13.1 0 / 3
0.13.0 0 / 3
0.12.0 0 / 3
0.11.2 0 / 3
0.11.1 0 / 3
0.11.0 0 / 3
0.10.2 0 / 3
0.10.1 0 / 3
0.10.0 0 / 3
0.9.1 0 / 0
0.9.0 0 / 0
0.8.4 0 / 0
0.8.3 0 / 0
0.8.2 0 / 0
0.8.1 0 / 0
0.8.0 0 / 0
0.7.16 0 / 0
0.7.15 0 / 0
0.7.14 0 / 0
0.7.13 0 / 0

v1.16.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.11.7

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.11.1

2 findings
HIGH env-spread: cli/dev.js:169 semgrep

Spreading entire process.env into an object — may capture all secrets 167 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 168 | stdio: 'inherit', > 169 | env: { 170 | ...process.env, 171 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.11.0

2 findings
HIGH env-spread: cli/dev.js:158 semgrep

Spreading entire process.env into an object — may capture all secrets 156 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 157 | stdio: 'inherit', > 158 | env: { 159 | ...process.env, 160 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.6

2 findings
HIGH env-spread: cli/dev.js:147 semgrep

Spreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.5

2 findings
HIGH env-spread: cli/dev.js:147 semgrep

Spreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.4

2 findings
HIGH env-spread: cli/dev.js:147 semgrep

Spreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.3

2 findings
HIGH env-spread: cli/dev.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

2 findings
HIGH env-spread: cli/dev.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

2 findings
HIGH env-spread: cli/dev.js:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.13

2 findings
HIGH env-spread: cli/dev.js:194 semgrep

Spreading entire process.env into an object — may capture all secrets 192 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 193 | stdio: 'inherit', > 194 | env: { 195 | ...process.env, 196 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.12

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.11

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.10

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.9

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.8

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.7

2 findings
HIGH env-spread: cli/dev.js:186 semgrep

Spreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.6

2 findings
HIGH env-spread: cli/dev.js:177 semgrep

Spreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.5

2 findings
HIGH env-spread: cli/dev.js:177 semgrep

Spreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.4

2 findings
HIGH env-spread: cli/dev.js:177 semgrep

Spreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.3

2 findings
HIGH env-spread: cli/dev.js:177 semgrep

Spreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.1

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.14.1

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.14.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.4

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.3

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.2

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.1

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.2

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.1

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.2

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.1

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

2 findings
HIGH env-spread: cli/dev.js:156 semgrep

Spreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.1

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.0

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.4

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.3

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.2

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.1

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.0

2 findings
HIGH env-spread: cli/dev.js:128 semgrep

Spreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.