@spinajs/configuration
framework configuration module
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Configuration framework intentionally merges process.env into config object; stable design pattern across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 456 versions; lack of provenance is consistent across all releases and not a new risk. | ai |
Versions (showing 100 of 105)
| Version | Deps | Published |
|---|---|---|
| 2.0.474 | 11 / 1 | |
| 2.0.473 | 11 / 1 | |
| 2.0.472 | 11 / 1 | |
| 2.0.471 | 11 / 1 | |
| 2.0.470 | 11 / 1 | |
| 2.0.469 | 11 / 1 | |
| 2.0.468 | 11 / 1 | |
| 2.0.467 | 11 / 1 | |
| 2.0.466 | 11 / 1 | |
| 2.0.465 | 11 / 1 | |
| 2.0.464 | 11 / 1 | |
| 2.0.463 | 11 / 1 | |
| 2.0.462 | 11 / 1 | |
| 2.0.461 | 11 / 1 | |
| 2.0.460 | 11 / 1 | |
| 2.0.458 | 11 / 1 | |
| 2.0.457 | 11 / 1 | |
| 2.0.456 | 11 / 1 | |
| 2.0.455 | 11 / 1 | |
| 2.0.454 | 11 / 1 | |
| 2.0.453 | 11 / 1 | |
| 2.0.452 | 11 / 1 | |
| 2.0.451 | 11 / 1 | |
| 2.0.450 | 11 / 1 | |
| 2.0.449 | 11 / 1 | |
| 2.0.448 | 11 / 1 | |
| 2.0.447 | 11 / 1 | |
| 2.0.446 | 11 / 1 | |
| 2.0.445 | 11 / 1 | |
| 2.0.444 | 11 / 1 | |
| 2.0.443 | 11 / 1 | |
| 2.0.442 | 11 / 1 | |
| 2.0.441 | 11 / 1 | |
| 2.0.439 | 11 / 1 | |
| 2.0.438 | 11 / 1 | |
| 2.0.436 | 11 / 1 | |
| 2.0.435 | 11 / 1 | |
| 2.0.434 | 11 / 1 | |
| 2.0.433 | 11 / 1 | |
| 2.0.432 | 11 / 1 | |
| 2.0.431 | 11 / 1 | |
| 2.0.430 | 11 / 1 | |
| 2.0.429 | 11 / 1 | |
| 2.0.428 | 11 / 1 | |
| 2.0.427 | 11 / 1 | |
| 2.0.426 | 11 / 1 | |
| 2.0.425 | 11 / 1 | |
| 2.0.424 | 11 / 1 | |
| 2.0.423 | 11 / 1 | |
| 2.0.422 | 11 / 1 | |
| 2.0.421 | 11 / 1 | |
| 2.0.420 | 11 / 1 | |
| 2.0.419 | 11 / 1 | |
| 2.0.418 | 11 / 1 | |
| 2.0.417 | 11 / 1 | |
| 2.0.416 | 11 / 1 | |
| 2.0.415 | 11 / 1 | |
| 2.0.414 | 11 / 1 | |
| 2.0.413 | 11 / 1 | |
| 2.0.412 | 11 / 1 | |
| 2.0.411 | 11 / 1 | |
| 2.0.409 | 11 / 1 | |
| 2.0.408 | 11 / 1 | |
| 2.0.407 | 11 / 1 | |
| 2.0.406 | 11 / 1 | |
| 2.0.405 | 11 / 1 | |
| 2.0.404 | 11 / 1 | |
| 2.0.403 | 11 / 1 | |
| 2.0.402 | 11 / 1 | |
| 2.0.401 | 11 / 1 | |
| 2.0.400 | 11 / 1 | |
| 2.0.399 | 11 / 1 | |
| 2.0.398 | 11 / 1 | |
| 2.0.397 | 11 / 1 | |
| 2.0.396 | 11 / 1 | |
| 2.0.395 | 11 / 1 | |
| 2.0.394 | 11 / 1 | |
| 2.0.393 | 11 / 1 | |
| 2.0.392 | 11 / 1 | |
| 2.0.391 | 11 / 1 | |
| 2.0.390 | 11 / 1 | |
| 2.0.389 | 11 / 1 | |
| 2.0.387 | 11 / 1 | |
| 2.0.386 | 11 / 1 | |
| 2.0.385 | 11 / 1 | |
| 2.0.384 | 11 / 1 | |
| 2.0.383 | 11 / 1 | |
| 2.0.382 | 11 / 1 | |
| 2.0.381 | 11 / 1 | |
| 2.0.379 | 11 / 1 | |
| 2.0.378 | 11 / 1 | |
| 2.0.377 | 11 / 1 | |
| 2.0.375 | 11 / 1 | |
| 2.0.374 | 11 / 1 | |
| 2.0.373 | 11 / 1 | |
| 2.0.372 | 11 / 1 | |
| 2.0.371 | 11 / 1 | |
| 2.0.370 | 11 / 1 | |
| 2.0.369 | 11 / 1 | |
| 2.0.368 | 11 / 1 |
v2.0.474
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.473
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.472
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.471
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.470
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.469
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.468
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.467
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.466
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.465
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.464
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.463
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.462
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.461
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.460
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.458
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.457
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.456
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.455
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.454
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.453
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.452
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.451
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.450
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.449
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.448
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/cjs/configuration.js#L153 151 | // add env variables to config 152 | const env = di_1.DI.get('process.env'); > 153 | this.set('process.env', { 154 | ...process.env, 155 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/spinajs/configuration/blob/002dc553b0ffffd72193d0121ac425a4083bc9ee/lib/mjs/configuration.js#L147 145 | // add env variables to config 146 | const env = DI.get('process.env'); > 147 | this.set('process.env', { 148 | ...process.env, 149 | ...env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.447
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.445
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.444
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.443
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.442
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.441
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.439
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.438
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.436
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.435
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.434
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.433
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.432
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.431
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.430
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.429
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.427
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.426
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.425
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.424
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.423
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.422
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.421
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.420
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.419
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.418
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.417
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.416
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.415
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.414
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.413
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.412
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.411
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.409
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.408
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.407
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.406
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.405
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.404
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.403
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.402
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.401
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.400
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.399
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.398
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.397
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.396
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.395
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.394
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.393
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.392
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.391
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.390
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.389
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.387
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.386
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.385
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.384
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.383
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.382
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.381
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.379
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.378
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.377
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.375
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.374
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.373
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.372
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.371
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.370
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.369
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.368
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.