@promptbook/remote-server
Promptbook: Create persistent AI agents that turn your company's scattered knowledge into action
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Used in subprocess execution helper to pass env vars; standard pattern for this type of framework. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Buffer.from with base64 is a standard data decoding pattern, not payload hiding. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used for Node.js environment detection (global check); stable pattern across this package's versions. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Standard Proxy/Reflect pattern in a framework; not obfuscation. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Acknowledged in source with TODO comment; used for script execution in AI pipeline context. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Expected for a server-side Node.js execution framework. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 0.110.0 | 20 / 0 | |
| 0.105.0 | 19 / 0 | |
| 0.104.0 | 13 / 0 | |
| 0.103.0 | 13 / 0 | |
| 0.102.0 | 13 / 0 | |
| 0.101.0 | 12 / 0 | |
| 0.100.2 | 12 / 0 | |
| 0.100.1 | 12 / 0 | |
| 0.100.0 | 12 / 0 | |
| 0.98.0 | 13 / 0 | |
| 0.95.0 | 13 / 0 | |
| 0.94.0 | 13 / 0 | |
| 0.93.0 | 13 / 0 | |
| 0.92.0 | 13 / 0 |
v0.110.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/webgptorg/promptbook/blob/bc63646894655f7b768e6d38f845b900c7a2e541/esm/index.es.js#L1320 1318 | cwd, 1319 | shell: true, > 1320 | env: env ? { ...process.env, ...env } : process.env, 1321 | }); 1322 | if (isVerbose) {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.105.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/webgptorg/promptbook/blob/d1b7003171c67142c266366e0e34f41db7ef1858/esm/index.es.js#L1319 1317 | cwd, 1318 | shell: true, > 1319 | env: env ? { ...process.env, ...env } : process.env, 1320 | }); 1321 | if (isVerbose) {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/webgptorg/promptbook/blob/d1b7003171c67142c266366e0e34f41db7ef1858/umd/index.umd.js#L1330 1328 | cwd, 1329 | shell: true, > 1330 | env: env ? { ...process.env, ...env } : process.env, 1331 | }); 1332 | if (isVerbose) {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.104.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.103.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.102.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.101.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.100.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.100.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.100.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.95.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.93.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.