@theia/ai-claude-code EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 5 versions

@theia/ai-claude-code

npm Repository Homepage

Theia - Claude Code Integration

Versions

EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

eclipsetheiavince-fugnittobhufmannmarc.dumaispaul-marechalmsujewtsmaederjfaltermeierjhelmingeclipse-theia-botsgrabandndoschek

Keywords

theia-extension

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Intentional: passes process.env to Claude Code subprocess, overriding API key and NODE_OPTIONS. Expected pattern for this integration.	ai	2026/05/23
semgrep	semgrep:child-process-import	AI (semgrep): Claude Code integration must spawn a subprocess; child_process use is core to this package's purpose.	ai	2026/05/23
semgrep	semgrep:new-function-constructor	AI (semgrep): Used solely as a webpack-compatible dynamic ESM import workaround, not for arbitrary code execution.	ai	2026/05/23
phantom-deps	phantom-dep:@theia/monaco-editor-core	AI (phantom-deps): Same-org sibling dep; declared as a transitive peer dependency, stable false positive for this package.	ai	2026/05/23

Versions (showing 5 of 5)

Version	Deps	Published
1.72.1	10 / 1	2026-05-29
1.72.0	10 / 1	2026-05-28
1.71.2	10 / 1	2026-05-27
1.71.0	10 / 1	2026-04-30
1.70.2	10 / 1	2026-04-10

v1.72.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.72.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.0

3 findings

HIGH env-spread: lib/node/claude-code-service-impl.js:103 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/d8a596fc99f0a8e68b466828ed162569d79e3a71/lib/node/claude-code-service-impl.js#L103 101 | settingSources: ['user', 'project', 'local'], 102 | canUseTool: (toolName, toolInput) => this.requestToolApproval(streamId, toolName, toolInput), > 103 | env: { ...process.env, ANTHROPIC_API_KEY: apiKey, NODE_OPTIONS: '' }, 104 | stderr: (data) => { 105 | let message = String(data);

HIGH env-spread: src/node/claude-code-service-impl.ts:143 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/d8a596fc99f0a8e68b466828ed162569d79e3a71/src/node/claude-code-service-impl.ts#L143 141 | settingSources: ['user', 'project', 'local'], 142 | canUseTool: (toolName: string, toolInput: unknown) => this.requestToolApproval(streamId, toolName, t > 143 | env: { ...process.env, ANTHROPIC_API_KEY: apiKey, NODE_OPTIONS: '' }, 144 | stderr: (data: unknown) => { 145 | let message = String(data);

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.