← Home

@rocicorp/zero

npm Repository Homepage

Zero is a web framework for serverless web development.

6
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arvaboodmancesaraz1grgbkr0xcadamstantamandarick

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Well-established package; lack of Sigstore provenance is a process gap, not a security risk for this publisher. ai
provenance missing-githead AI (provenance): Established package with long history; publish environment change is plausible, not indicative of malicious activity. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): Type-only package; not directly imported at runtime by design. ai
phantom-deps phantom-dep:@fastify/cors AI (phantom-deps): Loaded by convention via fastify plugin registration; phantom-dep false positive. ai
phantom-deps phantom-dep:semver AI (phantom-deps): semver is a declared runtime dep; phantom-dep heuristic false positive. ai
phantom-deps phantom-dep:@types/basic-auth AI (phantom-deps): Type-only package; not directly imported at runtime by design. ai
phantom-deps phantom-dep:@opentelemetry/sdk-trace-node AI (phantom-deps): Loaded via OpenTelemetry auto-instrumentation config; phantom-dep false positive. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function used in analyze-query CLI tool to evaluate user-supplied ZQL query strings — expected and documented behavior. ai
semgrep semgrep:env-spread AI (semgrep): env spread passes process.env to litestream subprocess — standard subprocess env forwarding, not exfiltration. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get inside a Proxy handler — idiomatic JS proxy pattern, not obfuscation. ai

Versions (showing 6 of 6)

Version Deps Published
1.6.1 49 / 20
1.6.0 49 / 20
1.5.0 49 / 21
1.4.0 49 / 21
1.3.0 49 / 21
1.2.0 50 / 21

v1.6.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aboodman.

v1.6.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aboodman.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.5.0

4 findings
HIGH env-spread: out/zero-cache/src/services/litestream/commands.js:50 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/7a35ca38840c40cf23491f5d0513ed6675e6dc2e/out/zero-cache/src/services/litestream/commands.js#L50 48 | return { 49 | litestream: (mode === "restore" && restoreUsingV5 ? executableV5 : executable) ?? must(executable, `Missing --litestre > 50 | env: { 51 | ...process.env, 52 | ["ZERO_REPLICA_FILE"]: config.replica.file,

HIGH env-spread: out/zero/src/zero-cache-dev.js:70 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/7a35ca38840c40cf23491f5d0513ed6675e6dc2e/out/zero/src/zero-cache-dev.js#L70 68 | lc.info?.(`Running ${deployPermissionsScript}.`); 69 | permissionsProcess = spawn(deployPermissionsScript, [], { > 70 | env: { 71 | ...process.env, 72 | ...deployPermissionsEnv

HIGH env-spread: out/zero/src/zero-cache-dev.js:92 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/7a35ca38840c40cf23491f5d0513ed6675e6dc2e/out/zero/src/zero-cache-dev.js#L92 90 | lc.info?.(`Running ${zeroCacheScript} at\n\n\thttp://localhost:${config.port}\n`); 91 | zeroCacheProcess = spawn(zeroCacheScript, [], { > 92 | env: { 93 | ["ZERO_NUM_SYNC_WORKERS"]: "3", 94 | ["ZERO_CVR_MAX_CONNS"]: "6",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

4 findings
HIGH env-spread: out/zero-cache/src/services/litestream/commands.js:50 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/dfc9b9a2bec5a199936c13f1ea7efef7c06d2a76/out/zero-cache/src/services/litestream/commands.js#L50 48 | return { 49 | litestream: (mode === "restore" && restoreUsingV5 ? executableV5 : executable) ?? must(executable, `Missing --litestre > 50 | env: { 51 | ...process.env, 52 | ["ZERO_REPLICA_FILE"]: config.replica.file,

HIGH env-spread: out/zero/src/zero-cache-dev.js:70 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/dfc9b9a2bec5a199936c13f1ea7efef7c06d2a76/out/zero/src/zero-cache-dev.js#L70 68 | lc.info?.(`Running ${deployPermissionsScript}.`); 69 | permissionsProcess = spawn(deployPermissionsScript, [], { > 70 | env: { 71 | ...process.env, 72 | ...deployPermissionsEnv

HIGH env-spread: out/zero/src/zero-cache-dev.js:92 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/dfc9b9a2bec5a199936c13f1ea7efef7c06d2a76/out/zero/src/zero-cache-dev.js#L92 90 | lc.info?.(`Running ${zeroCacheScript} at\n\n\thttp://localhost:${config.port}\n`); 91 | zeroCacheProcess = spawn(zeroCacheScript, [], { > 92 | env: { 93 | ["ZERO_NUM_SYNC_WORKERS"]: "3", 94 | ["ZERO_CVR_MAX_CONNS"]: "6",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.0

4 findings
HIGH env-spread: out/zero-cache/src/services/litestream/commands.js:41 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/5a6dabebfca676b4468d8869de064294c9edb182/out/zero-cache/src/services/litestream/commands.js#L41 39 | return { 40 | litestream: must(executable, `Missing --litestream-executable`), > 41 | env: { 42 | ...process.env, 43 | ["ZERO_REPLICA_FILE"]: config.replica.file,

HIGH env-spread: out/zero/src/zero-cache-dev.js:69 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/5a6dabebfca676b4468d8869de064294c9edb182/out/zero/src/zero-cache-dev.js#L69 67 | lc.info?.(`Running ${deployPermissionsScript}.`); 68 | permissionsProcess = spawn(deployPermissionsScript, [], { > 69 | env: { 70 | ...process.env, 71 | ...deployPermissionsEnv

HIGH env-spread: out/zero/src/zero-cache-dev.js:91 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/rocicorp/mono/blob/5a6dabebfca676b4468d8869de064294c9edb182/out/zero/src/zero-cache-dev.js#L91 89 | lc.info?.(`Running ${zeroCacheScript} at\n\n\thttp://localhost:${config.port}\n`); 90 | zeroCacheProcess = spawn(zeroCacheScript, [], { > 91 | env: { 92 | ["ZERO_NUM_SYNC_WORKERS"]: "3", 93 | ["ZERO_CVR_MAX_CONNS"]: "6",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.