@unisphere/cli
This library was created to support the development and deployment process of the UNISPHERE applications suites.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool intentionally passes process.env to child processes; standard pattern for dev tooling. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Compiled CLI with bundled deps; sparse metadata is consistent with the package's nature and Kaltura org ownership. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @unisphere/cli is a Kaltura CLI tool; distance-2 match to 'joi' is a false positive. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately uses execSync to inspect git branch; not exfiltration. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads package.json by path variable — standard pattern for workspace tooling. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 5.2.3 | 27 / 0 | |
| 5.2.2 | 27 / 0 | |
| 5.2.1 | 27 / 0 | |
| 5.2.0 | 26 / 0 | |
| 5.1.1 | 26 / 0 | |
| 5.1.0 | 26 / 0 | |
| 5.0.2 | 26 / 0 | |
| 4.1.2 | 26 / 0 | |
| 4.1.1 | 26 / 0 | |
| 4.1.0 | 0 / 0 | |
| 4.0.0 | 0 / 0 |
v5.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
14 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/application/serve-command.ts#L89 87 | cwd: workingDirectory, 88 | stdio: 'inherit', > 89 | env: { 90 | ...process.env, 91 | ...envVars,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/dev/local-nx-command.ts#L285 283 | const subprocess = execa('npx', ['nx', 'migrate', '--run-migrations', '--verbose'], { 284 | cwd: targetPath, > 285 | env: { 286 | ...process.env, 287 | ...migrateEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/documentation/serve-command.ts#L94 92 | cwd: documentationProjectPath, 93 | stdio: 'inherit', > 94 | env: { 95 | ...process.env, 96 | ...envVars,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-github.ts#L137 135 | debug(`Package name: ${ctx.packageJson.name}`); 136 | > 137 | const env = { 138 | ...process.env, 139 | NPM_CONFIG_REGISTRY: 'https://npm.pkg.github.com',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-github.ts#L209 207 | } else { 208 | // Prepare environment variables for GitHub Packages > 209 | const env = { 210 | ...process.env, 211 | NPM_CONFIG_REGISTRY: 'https://npm.pkg.github.com',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-jfrog.ts#L138 136 | debug(`Package name: ${ctx.packageJson.name}`); 137 | > 138 | const env = { 139 | ...process.env, 140 | NPM_CONFIG_REGISTRY: localRegistryUrl,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-jfrog.ts#L210 208 | } else { 209 | // Prepare environment variables for GitHub Packages > 210 | const env = { 211 | ...process.env, 212 | NPM_CONFIG_REGISTRY: localRegistryUrl,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-npm.ts#L139 137 | debug(`Package name: ${ctx.packageJson.name}`); 138 | > 139 | const env = { 140 | ...process.env, 141 | NPM_CONFIG_REGISTRY: 'https://registry.npmjs.org',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/commands/package/publish/deploy-to-npm.ts#L210 208 | } else { 209 | // Prepare environment variables for NPM Packages > 210 | const env = { 211 | ...process.env, 212 | NPM_CONFIG_REGISTRY: 'https://registry.npmjs.org',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/utils/listr2/create-exec-task.ts#L49 47 | const execute = execa(cmd, args, { 48 | cwd, > 49 | env: { 50 | ...process.env, 51 | ...(env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/utils/prompts/prompts.ts#L62 60 | stdio, 61 | cwd: projectPath, > 62 | env: { 63 | ...process.env, 64 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/utils/unisphere/get-dependency-graph.ts#L62 60 | cwd: rootDir, 61 | encoding: 'utf-8', > 62 | env: { 63 | ...process.env, 64 | NX_WORKSPACE_ROOT: rootDir,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/0b5930a997e8f5a658fe8574cd3d146ea8f71f3b/src/lib/utils/unisphere/get-env-variables.ts#L13 11 | return { 12 | isUnisphereEnvironment: isRunningFromUnisphereEnvironment, > 13 | envVariables: { 14 | ...process.env, 15 | UNISPHERE_MODE,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
14 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/application/serve-command.ts#L89 87 | cwd: workingDirectory, 88 | stdio: 'inherit', > 89 | env: { 90 | ...process.env, 91 | ...envVars,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/dev/local-nx-command.ts#L285 283 | const subprocess = execa('npx', ['nx', 'migrate', '--run-migrations', '--verbose'], { 284 | cwd: targetPath, > 285 | env: { 286 | ...process.env, 287 | ...migrateEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/documentation/serve-command.ts#L94 92 | cwd: documentationProjectPath, 93 | stdio: 'inherit', > 94 | env: { 95 | ...process.env, 96 | ...envVars,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-github.ts#L137 135 | debug(`Package name: ${ctx.packageJson.name}`); 136 | > 137 | const env = { 138 | ...process.env, 139 | NPM_CONFIG_REGISTRY: 'https://npm.pkg.github.com',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-github.ts#L209 207 | } else { 208 | // Prepare environment variables for GitHub Packages > 209 | const env = { 210 | ...process.env, 211 | NPM_CONFIG_REGISTRY: 'https://npm.pkg.github.com',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-jfrog.ts#L138 136 | debug(`Package name: ${ctx.packageJson.name}`); 137 | > 138 | const env = { 139 | ...process.env, 140 | NPM_CONFIG_REGISTRY: localRegistryUrl,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-jfrog.ts#L210 208 | } else { 209 | // Prepare environment variables for GitHub Packages > 210 | const env = { 211 | ...process.env, 212 | NPM_CONFIG_REGISTRY: localRegistryUrl,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-npm.ts#L139 137 | debug(`Package name: ${ctx.packageJson.name}`); 138 | > 139 | const env = { 140 | ...process.env, 141 | NPM_CONFIG_REGISTRY: 'https://registry.npmjs.org',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/commands/package/publish/deploy-to-npm.ts#L210 208 | } else { 209 | // Prepare environment variables for NPM Packages > 210 | const env = { 211 | ...process.env, 212 | NPM_CONFIG_REGISTRY: 'https://registry.npmjs.org',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/utils/listr2/create-exec-task.ts#L49 47 | const execute = execa(cmd, args, { 48 | cwd, > 49 | env: { 50 | ...process.env, 51 | ...(env || {}),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/utils/prompts/prompts.ts#L62 60 | stdio, 61 | cwd: projectPath, > 62 | env: { 63 | ...process.env, 64 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/utils/unisphere/get-dependency-graph.ts#L62 60 | cwd: rootDir, 61 | encoding: 'utf-8', > 62 | env: { 63 | ...process.env, 64 | NX_WORKSPACE_ROOT: rootDir,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/kaltura/unisphere-cli/blob/73f76997152731190ece1effa5c6d94bb1f423b3/src/lib/utils/unisphere/get-env-variables.ts#L13 11 | return { 12 | isUnisphereEnvironment: isRunningFromUnisphereEnvironment, > 13 | envVariables: { 14 | ...process.env, 15 | UNISPHERE_MODE,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.