@theia/core
Theia is a cloud & desktop IDE framework implemented in TypeScript.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/safer-buffer | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:http-proxy-agent | AI (phantom-deps): Referenced in proxy config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:https-proxy-agent | AI (phantom-deps): Referenced in proxy config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/body-parser | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/markdown-it | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/route-parser | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): TypeScript type package; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:body-parser | AI (phantom-deps): Used transitively via express in this framework package. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/yargs | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Runtime helper injected by Babel transpilation; not directly imported. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/fs-extra | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): TypeScript type package; loaded by convention. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): IDE framework spawning child processes with env is expected; security token is added, not leaked. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads keyboard layout JSON files from a fixed local directory; not arbitrary module loading. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used to iterate Key namespace constants; standard pattern, not obfuscation. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): IDE framework legitimately spawns backend/electron processes; expected usage. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @theia/core is the well-known Eclipse Theia IDE core package; no relation to 'cors'. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 1.72.2 | 70 / 4 | |
| 1.72.1 | 70 / 4 | |
| 1.72.0 | 70 / 4 | |
| 1.71.2 | 70 / 4 | |
| 1.71.1 | 70 / 4 | |
| 1.71.0 | 70 / 4 | |
| 1.70.2 | 70 / 4 | |
| 1.70.1 | 70 / 4 |
v1.72.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.72.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.72.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.71.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.71.1
4 findingsPackage name '@theia/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/4d2486fa6f9a99b259ffa8c451754a34c6ad586c/lib/electron-main/electron-main-application.js#L653 651 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 652 | detached: process.platform !== 'win32', > 653 | env: { 654 | ...process.env, 655 | [electron_token_1.ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/4d2486fa6f9a99b259ffa8c451754a34c6ad586c/src/electron-main/electron-main-application.ts#L792 790 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 791 | detached: process.platform !== 'win32', > 792 | env: { 793 | ...process.env, 794 | [ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.71.0
4 findingsPackage name '@theia/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/d8a596fc99f0a8e68b466828ed162569d79e3a71/lib/electron-main/electron-main-application.js#L653 651 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 652 | detached: process.platform !== 'win32', > 653 | env: { 654 | ...process.env, 655 | [electron_token_1.ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/d8a596fc99f0a8e68b466828ed162569d79e3a71/src/electron-main/electron-main-application.ts#L792 790 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 791 | detached: process.platform !== 'win32', > 792 | env: { 793 | ...process.env, 794 | [ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.70.1
4 findingsPackage name '@theia/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/12f45264d4bbdaaa6275621256057fb384e4474a/lib/electron-main/electron-main-application.js#L649 647 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 648 | detached: process.platform !== 'win32', > 649 | env: { 650 | ...process.env, 651 | [electron_token_1.ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/eclipse-theia/theia/blob/12f45264d4bbdaaa6275621256057fb384e4474a/src/electron-main/electron-main-application.ts#L782 780 | // See https://nodejs.org/api/child_process.html#child_process_options_detached 781 | detached: process.platform !== 'win32', > 782 | env: { 783 | ...process.env, 784 | [ElectronSecurityToken]: JSON.stringify(this.electronSecurityToken),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.