@powerlines/plugin-env
A package containing a Powerlines plugin for injecting static .env configuration values to the code so that they're accessible at runtime.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase fully explained by inlinedDependencies bundling pattern documented in package.json. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are inlined dependency bundles explicitly declared in package.json inlinedDependencies. | ai | |
| source-diff | obfuscated-file:dist/load-DPB0maqs.cjs | AI (source-diff): Bundled dotenv and other known deps; readable structure, hashed chunk filename is normal vite output. | ai | |
| source-diff | obfuscated-file:dist/json5-DEV_07Nb.cjs | AI (source-diff): Bundled confbox/json5 dependency with long unicode regex lines; not obfuscated, just minified. | ai | |
| source-diff | obfuscated-file:dist/dist-C_a6goTt.cjs | AI (source-diff): Standard rollup/vite bundle chunk with hashed filename; code is readable and references known deps. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/confbox/dist/json5.cjs | AI (source-diff): Minified vendored dependency (confbox) bundled into dist/node_modules via pnpm; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:@alloy-js/markdown | AI (phantom-deps): Config-referenced dep in monorepo plugin; stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): stormie-bot is the org's established bot account with 2775 approved packages; transition from GH Actions to this account is expected org automation pattern. | ai | |
| phantom-deps | phantom-dep:@powerlines/core | AI (phantom-deps): Same org scope; likely loaded by convention or peer dependency pattern, stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/types/env.cjs | AI (source-diff): Minified but fully readable build output for a new package export; no obfuscation or malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/types/env.mjs | AI (source-diff): Same as .cjs counterpart — minified ESM build output, content is benign env variable metadata. | ai | |
| dependencies | unvetted-dep:@powerlines/alloy | AI (dependencies): @powerlines/alloy is a sibling package in the same org scope, published by the same Storm Software maintainer with 356 approved packages. Internal org dependency, not a third-party unknown. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/jiti/dist/jiti.cjs | AI (source-diff): Minified bundle of the legitimate jiti package included via rolldown bundling of pnpm deps. SLSA provenance attestation confirms CI build integrity. No malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/confbox/dist/_chunks/libs/json5.cjs | AI (source-diff): Minified bundle of json5 parser from confbox package. Long line is a Unicode regex for JSON5 parsing — entirely benign. SLSA provenance confirms build integrity. | ai | |
| source-diff | obfuscated-file:dist/node_modules/.pnpm/[email protected]/node_modules/node-fetch-native/dist/proxy.cjs | AI (source-diff): Minified bundle of node-fetch-native proxy module using standard Node.js built-ins. No suspicious network calls or exfiltration. SLSA provenance confirms build integrity. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Config tooling from the same org ecosystem; loaded by convention/config, stable false positive. | ai | |
| phantom-deps | phantom-dep:@stryke/fs | AI (phantom-deps): Part of the @powerlines monorepo ecosystem; phantom deps are expected for plugin packages loaded by convention or config, not direct import. | ai | |
| phantom-deps | phantom-dep:powerlines | AI (phantom-deps): Core peer dependency of the @powerlines plugin ecosystem; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped package loaded by convention in Babel plugin ecosystems; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@stryke/env | AI (phantom-deps): Same monorepo org dependency loaded by config/convention; stable false positive for this plugin package. | ai | |
| phantom-deps | phantom-dep:@stryke/capnp | AI (phantom-deps): Same monorepo org dependency loaded by config/convention; stable false positive for this plugin package. | ai | |
| phantom-deps | phantom-dep:@stryke/types | AI (phantom-deps): Type-only dependency from same org; not directly imported at runtime but declared for type resolution. | ai | |
| phantom-deps | phantom-dep:@alloy-js/core | AI (phantom-deps): Framework-scoped package used via config/convention in the alloy-js ecosystem; stable false positive. | ai | |
| phantom-deps | phantom-dep:@powerlines/alloy | AI (phantom-deps): Same-org package from the @powerlines monorepo; loaded by plugin convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@stryke/type-checks | AI (phantom-deps): Same monorepo org utility package; loaded by config/convention, stable false positive. | ai | |
| phantom-deps | phantom-dep:@alloy-js/typescript | AI (phantom-deps): Framework-scoped package used via config/convention in the alloy-js ecosystem; stable false positive. | ai | |
| phantom-deps | phantom-dep:@stryke/string-format | AI (phantom-deps): Same monorepo org utility package; loaded by config/convention, stable false positive. | ai | |
| phantom-deps | phantom-dep:@powerlines/plugin-babel | AI (phantom-deps): Same-org plugin package from the @powerlines monorepo; loaded by plugin convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/types | AI (phantom-deps): Framework-scoped package loaded by convention via @babel/core; stable pattern for Babel plugins. | ai | |
| phantom-deps | phantom-dep:@powerlines/plugin-plugin | AI (phantom-deps): Same-org scoped package loaded by convention in plugin ecosystem; stable for this package. | ai | |
| phantom-deps | phantom-dep:@alloy-js/json | AI (phantom-deps): Config-file referenced dependency; legitimate pattern in code generation frameworks. | ai | |
| phantom-deps | phantom-dep:@stryke/json | AI (phantom-deps): Config-file referenced dependency; legitimate pattern in config-driven tooling. | ai |
Versions (showing 42 of 554)
| Version | Deps | Published |
|---|---|---|
| 0.14.18 | 21 / 2 | |
| 0.14.17 | 21 / 2 | |
| 0.14.16 | 21 / 2 | |
| 0.14.15 | 21 / 2 | |
| 0.14.14 | 21 / 2 | |
| 0.14.13 | 21 / 2 | |
| 0.14.12 | 21 / 2 | |
| 0.14.11 | 21 / 2 | |
| 0.14.10 | 21 / 2 | |
| 0.14.9 | 21 / 8 | |
| 0.14.8 | 19 / 8 | |
| 0.14.7 | 19 / 8 | |
| 0.14.6 | 19 / 8 | |
| 0.14.5 | 19 / 8 | |
| 0.13.103 | 17 / 6 | |
| 0.13.101 | 17 / 6 | |
| 0.13.95 | 17 / 6 | |
| 0.13.80 | 17 / 6 | |
| 0.13.79 | 17 / 6 | |
| 0.13.76 | 17 / 6 | |
| 0.13.69 | 17 / 6 | |
| 0.13.65 | 17 / 6 | |
| 0.13.60 | 17 / 6 | |
| 0.13.52 | 16 / 8 | |
| 0.13.50 | 16 / 8 | |
| 0.13.44 | 16 / 8 | |
| 0.13.41 | 16 / 8 | |
| 0.13.38 | 16 / 8 | |
| 0.13.37 | 16 / 8 | |
| 0.13.33 | 16 / 8 | |
| 0.13.30 | 16 / 8 | |
| 0.13.28 | 16 / 8 | |
| 0.13.27 | 16 / 8 | |
| 0.13.25 | 16 / 8 | |
| 0.13.16 | 16 / 8 | |
| 0.13.11 | 16 / 8 | |
| 0.13.10 | 16 / 8 | |
| 0.13.5 | 16 / 8 | |
| 0.13.1 | 16 / 8 | |
| 0.13.0 | 16 / 8 | |
| 0.8.1 | 16 / 8 | |
| 0.2.0 | 16 / 8 |
v0.14.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.101
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.95
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.80
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.79
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.76
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.69
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.65
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.60
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.