@websolutespa/bom-cli — Greenflagged

BOM cli of the BOM Repository

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

websolute-adminactariancbrualdiamacafedericodilucagiacomo_grassettim.fortldeblasio

Keywords

bomcli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): env-spread is in a setEnvVars helper that passes env to child processes — standard CLI pattern, not exfiltration.	ai	2026/05/04
phantom-deps	phantom-dep:nodemon	AI (phantom-deps): nodemon is listed as a runtime dep and referenced in scripts; phantom-dep heuristic is a false positive here.	ai	2026/05/04
provenance	no-provenance	AI (provenance): Established publisher with 27 approved packages; lack of provenance is common and not a disqualifier here.	ai	2026/05/04

Versions (showing 2 of 2)

Version	Deps	Published
1.10.2	14 / 12	2026-04-17
1.10.0	14 / 12	2026-01-20

v1.10.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.10.0

5 findings

HIGH env-spread: bin/index.js:2933 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/websolutespa/bom/blob/2a5f99c7d5a24fe87bcda39291bbe483cd8f90af/bin/index.js#L2933 2931 | } 2932 | function setEnvVars(vars) { > 2933 | const envVars = { ...process.env }; 2934 | if (process.env.APPDATA) { 2935 | envVars.APPDATA = process.env.APPDATA;

HIGH env-spread: bin/index.js:5482 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/websolutespa/bom/blob/2a5f99c7d5a24fe87bcda39291bbe483cd8f90af/bin/index.js#L5482 5480 | Logger.warn(command); 5481 | const child = exec(command, { > 5482 | env: { 5483 | ...process.env, 5484 | FORCE_COLOR: "true"

HIGH env-spread: src/env/env.ts:92 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/websolutespa/bom/blob/2a5f99c7d5a24fe87bcda39291bbe483cd8f90af/src/env/env.ts#L92 90 | 91 | function setEnvVars(vars: Record<string, string>): Record<string, string> { > 92 | const envVars = { ...process.env } as Record<string, string>; 93 | if (process.env.APPDATA) { 94 | envVars.APPDATA = process.env.APPDATA;

HIGH env-spread: src/turbo/turbo.ts:255 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/websolutespa/bom/blob/2a5f99c7d5a24fe87bcda39291bbe483cd8f90af/src/turbo/turbo.ts#L255 253 | Logger.warn(command); 254 | const child = exec(command, { > 255 | env: { 256 | ...process.env, 257 | FORCE_COLOR: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.