@vibe-forge/utils
Shared runtime utilities for Vibe Forge
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): process.env spread in npm CLI helper to pass environment to child processes; expected pattern for this utility. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Fires on afplay (macOS audio player) with fixed args; detached/unref is standard fire-and-forget audio pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same afplay call as silent-process-exec; stable false positive for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 3.4.1 | 4 / 2 | |
| 3.4.0 | 4 / 2 | |
| 3.3.1 | 4 / 2 | |
| 3.3.0 | 4 / 2 | |
| 3.2.2 | 3 / 1 | |
| 3.2.0 | 3 / 1 | |
| 3.1.5 | 3 / 1 | |
| 3.1.4 | 3 / 1 | |
| 3.1.2 | 3 / 1 | |
| 2.0.1 | 3 / 1 | |
| 0.11.2 | 3 / 1 | |
| 0.8.0 | 3 / 1 |
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
6 findingsSpreading entire process.env into an object — may capture all secrets 209 | env: Record<string, string | null | undefined> 210 | paths: ManagedNpmCliPaths > 211 | }) => ({ 212 | ...process.env, 213 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 250 | version: installOptions.version 251 | }) > 252 | const probeEnv = { 253 | ...process.env, 254 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 99 | registry: params.registry 100 | }) > 101 | const env = { 102 | ...process.env, 103 | ...command.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.0
6 findingsSpreading entire process.env into an object — may capture all secrets 209 | env: Record<string, string | null | undefined> 210 | paths: ManagedNpmCliPaths > 211 | }) => ({ 212 | ...process.env, 213 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 250 | version: installOptions.version 251 | }) > 252 | const probeEnv = { 253 | ...process.env, 254 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 99 | registry: params.registry 100 | }) > 101 | const env = { 102 | ...process.env, 103 | ...command.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.5
6 findingsSpreading entire process.env into an object — may capture all secrets 209 | env: Record<string, string | null | undefined> 210 | paths: ManagedNpmCliPaths > 211 | }) => ({ 212 | ...process.env, 213 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 250 | version: installOptions.version 251 | }) > 252 | const probeEnv = { 253 | ...process.env, 254 | ...Object.fromEntries(
Spreading entire process.env into an object — may capture all secrets 99 | registry: params.registry 100 | }) > 101 | const env = { 102 | ...process.env, 103 | ...command.env,
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Silent detached process — runs invisibly in the background (reverse shells, miners) 52 | try { 53 | const args = ['-v', `${resolvedVolume ?? 1}`, resolvedSound] > 54 | const proc = spawn('afplay', args, { stdio: 'ignore', detached: true }) 55 | proc.unref() 56 | } catch {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.