← Home

@titanpl/cli

npm

The unified CLI for Titan Planet. Use it to create, manage, build, and deploy high-performance backend projects.

3
Versions
ISC
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

david200197ezetgalaxy

Keywords

titanpltitanezetgalaxycli

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): CLI tool spawning child processes with process.env passthrough is standard; not exfiltration. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped package @titanpl/cli is not a typosquat of joi; Levenshtein match is spurious. ai
phantom-deps phantom-dep:commander AI (phantom-deps): Declared but not directly imported; likely used transitively or in config; stable false positive. ai

Versions (showing 3 of 3)

Version Deps Published
7.0.8 4 / 0
7.0.3 4 / 0
2.0.1 4 / 0

v7.0.8

4 findings
HIGH env-spread: src/engine.js:140 semgrep

Spreading entire process.env into an object — may capture all secrets 138 | const engineProcess = spawn(binaryPath, args, { 139 | stdio: ['inherit', 'pipe', 'pipe'], > 140 | env: { 141 | ...process.env, 142 | TITAN_ENV: watchMode ? 'development' : 'production',

HIGH env-spread: templates/rust-js/titan/dev.js:140 semgrep

Spreading entire process.env into an object — may capture all secrets 138 | cwd: serverPath, 139 | stdio: ["ignore", "pipe", "pipe"], > 140 | env: { ...process.env, CARGO_INCREMENTAL: "1" } 141 | }); 142 |

HIGH env-spread: templates/rust-ts/titan/dev.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | cwd: serverPath, 143 | stdio: ["ignore", "pipe", "pipe"], > 144 | env: { ...process.env, CARGO_INCREMENTAL: "1" } 145 | }); 146 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v7.0.3

4 findings
HIGH env-spread: src/engine.js:140 semgrep

Spreading entire process.env into an object — may capture all secrets 138 | const engineProcess = spawn(binaryPath, args, { 139 | stdio: ['inherit', 'pipe', 'pipe'], > 140 | env: { 141 | ...process.env, 142 | TITAN_ENV: watchMode ? 'development' : 'production',

HIGH env-spread: templates/rust-js/titan/dev.js:140 semgrep

Spreading entire process.env into an object — may capture all secrets 138 | cwd: serverPath, 139 | stdio: ["ignore", "pipe", "pipe"], > 140 | env: { ...process.env, CARGO_INCREMENTAL: "1" } 141 | }); 142 |

HIGH env-spread: templates/rust-ts/titan/dev.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | cwd: serverPath, 143 | stdio: ["ignore", "pipe", "pipe"], > 144 | env: { ...process.env, CARGO_INCREMENTAL: "1" } 145 | }); 146 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

2 findings
HIGH env-spread: src/engine.js:93 semgrep

Spreading entire process.env into an object — may capture all secrets 91 | const engineProcess = spawn(binaryPath, args, { 92 | stdio: ['inherit', 'pipe', 'pipe'], > 93 | env: { 94 | ...process.env, 95 | TITAN_ENV: watchMode ? 'development' : 'production',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.