@quenty/studio-bridge — Greenflagged

WebSocket-based bridge for running Luau scripts in Roblox Studio

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

quenty

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns Roblox Studio GUI executable detached; expected behavior for a Studio bridge CLI tool.	ai	2026/05/18
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same spawn call as silent-process-exec; launching Studio GUI detached is intentional.	ai	2026/05/18
semgrep	semgrep:base64-decode	AI (semgrep): Decodes binary field from structured result data; not obfuscated payload handling.	ai	2026/05/18
semgrep	semgrep:env-spread	AI (semgrep): Fires in a test file to snapshot/restore process.env — standard test pattern, not exfiltration.	ai	2026/04/29

Versions (showing 17 of 17)

Version	Deps	Published
0.15.0	7 / 5	2026-05-26
0.14.0	7 / 5	2026-05-26
0.13.0	7 / 5	2026-05-26
0.12.0	7 / 5	2026-05-20
0.11.0	7 / 5	2026-05-19
0.10.0	7 / 5	2026-05-19
0.9.0	7 / 5	2026-05-18
0.8.0	7 / 5	2026-05-14
0.7.1	6 / 5	2026-04-27
0.7.0	6 / 5	2026-02-23
0.6.0	6 / 5	2026-02-19
0.5.0	6 / 5	2026-02-18
0.4.0	6 / 5	2026-02-18
0.3.0	6 / 5	2026-02-17
0.2.2	6 / 5	2026-02-17
0.2.1	6 / 5	2026-02-17
0.2.0	6 / 5	2026-02-17

v0.15.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.14.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

3 findings

HIGH silent-process-exec: src/process/studio-process-manager.ts:143 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 141 | OutputHelper.verbose(`[StudioBridge] ${studioExe} "${placePath}"`); 142 | > 143 | const proc = spawn(studioExe, placePath ? [placePath] : [], { 144 | detached: true, 145 | stdio: 'ignore',

HIGH silent-process-exec-var: src/process/studio-process-manager.ts:143 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 141 | OutputHelper.verbose(`[StudioBridge] ${studioExe} "${placePath}"`); 142 | > 143 | const proc = spawn(studioExe, placePath ? [placePath] : [], { 144 | detached: true, 145 | stdio: 'ignore',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.