@symbo.ls/cli
Fetch your Symbols configuration
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in changesUtils parser to evaluate expressions; consistent with CLI diff/template tooling. | ai | |
| phantom-deps | phantom-dep:@symbo.ls/init | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for indirect/CLI usage patterns. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): node-fetch is a declared runtime dep; phantom-dep heuristic may miss dynamic or transitive usage in CLI tools. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves a fixed path to @symbo.ls/runner/package.json; not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@symbo.ls/fetch | AI (phantom-deps): Same-org scoped dep; likely used indirectly via sibling packages. | ai | |
| phantom-deps | phantom-dep:@symbo.ls/runner | AI (phantom-deps): Same-org scoped dep; dynamically required by path in bin/eject.js. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): spawn('open', [url]) is the standard macOS URL-open pattern; not a reverse shell. | ai | |
| phantom-deps | phantom-dep:run-async | AI (phantom-deps): run-async is declared in dependencies; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same macOS open-URL pattern; stable false positive for this CLI package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing process.env to child process is expected behavior. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): JWT base64 padding utility; no payload hiding. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1 is localhost display in tunnel status output; not an exfiltration endpoint. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @symbo.ls/cli; no resemblance to joi in intent or namespace. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 3.14.1 | 14 / 0 | |
| 3.3.7 | 13 / 0 | |
| 3.2.11 | 13 / 0 | |
| 2.34.21 | 12 / 0 | |
| 2.34.20 | 12 / 0 | |
| 2.34.2 | 12 / 0 | |
| 2.33.35 | 12 / 0 | |
| 2.32.19 | 10 / 0 | |
| 2.32.14 | 10 / 0 |
v3.14.1
15 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 55 | const platform = process.platform 56 | if (platform === 'darwin') { > 57 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 58 | return true 59 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 55 | const platform = process.platform 56 | if (platform === 'darwin') { > 57 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 58 | return true 59 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 60 | if (platform === 'win32') { 61 | // Use cmd's "start" to open default browser > 62 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 63 | return true 64 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 60 | if (platform === 'win32') { 61 | // Use cmd's "start" to open default browser > 62 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 63 | return true 64 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 64 | } 65 | // linux, etc. > 66 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 67 | return true 68 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 64 | } 65 | // linux, etc. > 66 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 67 | return true 68 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | const platform = process.platform 42 | if (platform === 'darwin') { > 43 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 44 | return true 45 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 41 | const platform = process.platform 42 | if (platform === 'darwin') { > 43 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 44 | return true 45 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 45 | } 46 | if (platform === 'win32') { > 47 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 48 | return true 49 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 45 | } 46 | if (platform === 'win32') { > 47 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 48 | return true 49 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 48 | return true 49 | } > 50 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 51 | return true 52 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 48 | return true 49 | } > 50 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 51 | return true 52 | } catch (_) {
Spreading entire process.env into an object — may capture all secrets 69 | const child = spawn(process.execPath, [resolveCliBin(), ...args], { 70 | cwd, > 71 | env: { ...process.env, ...env }, 72 | stdio 73 | })
Spreading entire process.env into an object — may capture all secrets 123 | const child = spawn(process.execPath, [resolveCliBin(), ...args], { 124 | cwd, > 125 | env: { ...process.env, ...env }, 126 | stdio: ['ignore', 'pipe', 'pipe'] 127 | })
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.3.7
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.11
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.34.21
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.34.20
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.34.2
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.33.35
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 30 | const platform = process.platform 31 | if (platform === 'darwin') { > 32 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref() 33 | return true 34 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 35 | if (platform === 'win32') { 36 | // Use cmd's "start" to open default browser > 37 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref() 38 | return true 39 | }
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Silent detached process — runs invisibly in the background (reverse shells, miners) 39 | } 40 | // linux, etc. > 41 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref() 42 | return true 43 | } catch (_) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.