← Home

@workos/oagen-emitters

npm Repository Homepage

WorkOS' oagen emitters

44
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

gjtorikiannpm-workospeakematt-workosnickcollissonmark-workosgrinichnicknisi

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Spreading process.env in smoke test child process spawns to pass env to subprocess — not exfiltration. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 used as local proxy address in smoke tests — not a malicious remote endpoint. ai

Versions (showing 44 of 44)

Version Deps Published
0.16.0 1 / 11
0.15.2 1 / 11
0.15.1 1 / 11
0.15.0 1 / 11
0.14.4 1 / 11
0.14.3 1 / 11
0.14.2 1 / 11
0.14.1 1 / 11
0.14.0 1 / 11
0.13.0 1 / 11
0.12.5 1 / 11
0.12.4 1 / 11
0.12.3 1 / 11
0.12.2 1 / 11
0.12.1 1 / 11
0.12.0 1 / 11
0.11.0 1 / 11
0.10.0 1 / 11
0.9.1 1 / 11
0.9.0 1 / 11
0.8.2 1 / 11
0.8.1 1 / 11
0.8.0 1 / 11
0.7.5 1 / 11
0.7.4 1 / 11
0.7.3 1 / 11
0.7.2 1 / 11
0.7.1 1 / 11
0.7.0 1 / 11
0.6.8 1 / 11
0.6.7 1 / 11
0.6.6 1 / 11
0.6.5 1 / 11
0.6.4 1 / 11
0.6.3 1 / 11
0.6.2 1 / 11
0.6.1 1 / 11
0.6.0 1 / 11
0.5.0 1 / 11
0.4.0 1 / 11
0.3.0 1 / 11
0.2.1 1 / 11
0.2.0 1 / 11
0.0.1 1 / 10

v0.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.7

13 findings
HIGH env-spread: smoke/sdk-dotnet.ts:520 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-dotnet.ts#L520 518 | const child = spawn('dotnet', ['run', '--no-restore'], { 519 | cwd: tmpDir, > 520 | env: { 521 | ...process.env, 522 | WORKOS_API_KEY: apiKey,

HIGH env-spread: smoke/sdk-dotnet.ts:669 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-dotnet.ts#L669 667 | timeout: 120000, 668 | stdio: ['pipe', 'pipe', 'pipe'], > 669 | env: { ...process.env, DOTNET_NOLOGO: '1' }, 670 | }); 671 | console.log('SDK built successfully');

HIGH env-spread: smoke/sdk-dotnet.ts:708 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-dotnet.ts#L708 706 | timeout: 120000, 707 | stdio: ['pipe', 'pipe', 'pipe'], > 708 | env: { ...process.env, DOTNET_NOLOGO: '1' }, 709 | }); 710 | console.log('Driver project bootstrapped');

HIGH env-spread: smoke/sdk-elixir.ts:540 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-elixir.ts#L540 538 | await new Promise<void>((resolvePromise, rejectPromise) => { 539 | const child = spawn('elixir', [scriptPath], { > 540 | env: { 541 | ...process.env, 542 | WORKOS_API_KEY: apiKey,

HIGH env-spread: smoke/sdk-go.ts:730 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-go.ts#L730 728 | cwd: tmpDir, 729 | timeout: 120_000, > 730 | env: { 731 | ...process.env, 732 | GOPATH: process.env.GOPATH || resolve(process.env.HOME || '~', 'go'),

HIGH env-spread: smoke/sdk-go.ts:747 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-go.ts#L747 745 | cwd: tmpDir, 746 | timeout: 120_000, > 747 | env: { 748 | ...process.env, 749 | GOPATH: process.env.GOPATH || resolve(process.env.HOME || '~', 'go'),

HIGH env-spread: smoke/sdk-kotlin.ts:578 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-kotlin.ts#L578 576 | const child = spawn('gradle', ['run', '--quiet'], { 577 | cwd: tmpDir, > 578 | env: { 579 | ...process.env, 580 | WORKOS_API_KEY: apiKey,

HIGH env-spread: smoke/sdk-python.ts:514 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-python.ts#L514 512 | await new Promise<void>((resolvePromise, rejectPromise) => { 513 | const child = spawn(python3Path, [scriptPath], { > 514 | env: { 515 | ...process.env, 516 | PYTHONPATH: existsSync(resolve(sdkPath, 'src')) ? resolve(sdkPath, 'src') : resolve(sdkPath),

HIGH env-spread: smoke/sdk-ruby.ts:493 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-ruby.ts#L493 491 | await new Promise<void>((resolvePromise, rejectPromise) => { 492 | const child = spawn('ruby', [scriptPath], { > 493 | env: { 494 | ...process.env, 495 | WORKOS_API_KEY: apiKey,

HIGH env-spread: smoke/sdk-rust.ts:432 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-rust.ts#L432 430 | timeout: 300_000, 431 | stdio: ['pipe', 'pipe', 'pipe'], > 432 | env: { ...process.env }, 433 | }); 434 | console.log('Pre-build complete.');

HIGH env-spread: smoke/sdk-rust.ts:506 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-rust.ts#L506 504 | timeout: 120_000, 505 | stdio: ['pipe', 'pipe', 'pipe'], > 506 | env: { ...process.env }, 507 | }); 508 | } catch (err: any) {

HIGH env-spread: smoke/sdk-rust.ts:547 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/workos/oagen-emitters/blob/d5418ae60da5085101041df60310f831363d4c97/smoke/sdk-rust.ts#L547 545 | const child = spawn(join(tmpDir, 'target', 'debug', 'smoke-driver'), [], { 546 | cwd: tmpDir, > 547 | env: { 548 | ...process.env, 549 | WORKOS_API_KEY: apiKey,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.