@risuko/app
Risuko download manager — launches the desktop app, downloading it from GitHub Releases on first run
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn is the documented mechanism for launching a desktop app binary from a CLI wrapper; not a reverse shell. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same detached spawn pattern; consistent with desktop app launcher use case. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @risuko/app is not a plausible typosquat of hapi; different namespace and purpose. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @risuko/app is not a plausible typosquat of pg; different namespace and purpose. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped package @risuko/app is not a plausible typosquat of yup; different namespace and purpose. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @risuko/app is not a plausible typosquat of ajv; different namespace and purpose. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.3.1 | 0 / 0 | |
| 0.3.0 | 0 / 0 | |
| 0.2.0 | 0 / 0 | |
| 0.1.10 | 0 / 0 | |
| 0.1.9 | 0 / 0 | |
| 0.1.8 | 0 / 0 | |
| 0.1.7 | 0 / 0 | |
| 0.1.6 | 0 / 0 | |
| 0.1.5 | 0 / 0 | |
| 0.1.4 | 0 / 0 |
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/c3e44d2bd1dbde19fb79a9915241305803056b7c/bin.js#L260 258 | } 259 | > 260 | const child = spawn(binaryPath, appArgs, { 261 | detached: true, 262 | stdio: "ignore",
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/c3e44d2bd1dbde19fb79a9915241305803056b7c/bin.js#L260 258 | } 259 | > 260 | const child = spawn(binaryPath, appArgs, { 261 | detached: true, 262 | stdio: "ignore",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/9014e4be0a5ba82ce0f288a2b58581b9656cadd8/bin.js#L260 258 | } 259 | > 260 | const child = spawn(binaryPath, appArgs, { 261 | detached: true, 262 | stdio: "ignore",
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/9014e4be0a5ba82ce0f288a2b58581b9656cadd8/bin.js#L260 258 | } 259 | > 260 | const child = spawn(binaryPath, appArgs, { 261 | detached: true, 262 | stdio: "ignore",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/05c0ecfd353362e5379c783c9420a789505f720c/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/05c0ecfd353362e5379c783c9420a789505f720c/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/06347f8f0dd49abcb01f995b036404dbeaa3e3bc/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/06347f8f0dd49abcb01f995b036404dbeaa3e3bc/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/f725eddc637d26bfe916e2ef30843b5a17fb21bc/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/YueMiyuki/risuko/blob/f725eddc637d26bfe916e2ef30843b5a17fb21bc/bin.js#L252 250 | } 251 | > 252 | const child = spawn(binaryPath, appArgs, { 253 | detached: true, 254 | stdio: "ignore",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.