← Home

@zeropress/theme

npm Repository Homepage

ZeroPress theme developer toolkit

10
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

laelbe

Keywords

zeropressstatic-site-generatorssgbuildthemetheme-developmentdeveloper-toolkittheme-toolkit

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:silent-process-exec AI (semgrep): Cross-platform browser-open helper (open/cmd start); standard dev-server pattern, not malicious. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same browser-open code path; stable false positive for this dev-toolkit package. ai

Versions (showing 10 of 10)

Version Deps Published
0.6.3 4 / 0
0.6.2 4 / 0
0.6.1 4 / 0
0.5.2 4 / 0
0.5.1 4 / 0
0.5.0 4 / 0
0.2.0 5 / 0
0.1.13 5 / 0
0.1.12 5 / 0
0.1.11 4 / 0

v0.6.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

7 findings
HIGH silent-process-exec: src/dev.js:759 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L759 757 | const platform = process.platform; 758 | if (platform === 'darwin') { > 759 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 760 | } else if (platform === 'win32') { 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:759 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L759 757 | const platform = process.platform; 758 | if (platform === 'darwin') { > 759 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 760 | } else if (platform === 'win32') { 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:761 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L761 759 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 760 | } else if (platform === 'win32') { > 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 762 | } else { 763 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:761 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L761 759 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 760 | } else if (platform === 'win32') { > 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 762 | } else { 763 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:763 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L763 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 762 | } else { > 763 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 764 | } 765 | }

HIGH silent-process-exec-var: src/dev.js:763 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/0967cb631e80e0ac47c13c79609e8c235d1b90b2/src/dev.js#L763 761 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 762 | } else { > 763 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 764 | } 765 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

7 findings
HIGH silent-process-exec: src/dev.js:540 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L540 538 | const platform = process.platform; 539 | if (platform === 'darwin') { > 540 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 541 | } else if (platform === 'win32') { 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:540 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L540 538 | const platform = process.platform; 539 | if (platform === 'darwin') { > 540 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 541 | } else if (platform === 'win32') { 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:542 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L542 540 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 541 | } else if (platform === 'win32') { > 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 543 | } else { 544 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:542 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L542 540 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 541 | } else if (platform === 'win32') { > 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 543 | } else { 544 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:544 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L544 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 543 | } else { > 544 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 545 | } 546 | }

HIGH silent-process-exec-var: src/dev.js:544 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/2d54f92310970b5de395669ad1063b2d7ebcab91/src/dev.js#L544 542 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 543 | } else { > 544 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 545 | } 546 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.13

7 findings
HIGH silent-process-exec: src/dev.js:484 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L484 482 | const platform = process.platform; 483 | if (platform === 'darwin') { > 484 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 485 | } else if (platform === 'win32') { 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:484 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L484 482 | const platform = process.platform; 483 | if (platform === 'darwin') { > 484 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 485 | } else if (platform === 'win32') { 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:486 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L486 484 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 485 | } else if (platform === 'win32') { > 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 487 | } else { 488 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:486 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L486 484 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 485 | } else if (platform === 'win32') { > 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 487 | } else { 488 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:488 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L488 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 487 | } else { > 488 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 489 | } 490 | }

HIGH silent-process-exec-var: src/dev.js:488 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/ec459aa8fe9270b5535b36ea93631aa0e374af1b/src/dev.js#L488 486 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 487 | } else { > 488 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 489 | } 490 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.12

7 findings
HIGH silent-process-exec: src/dev.js:476 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L476 474 | const platform = process.platform; 475 | if (platform === 'darwin') { > 476 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 477 | } else if (platform === 'win32') { 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:476 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L476 474 | const platform = process.platform; 475 | if (platform === 'darwin') { > 476 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 477 | } else if (platform === 'win32') { 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:478 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L478 476 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 477 | } else if (platform === 'win32') { > 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 479 | } else { 480 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:478 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L478 476 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 477 | } else if (platform === 'win32') { > 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 479 | } else { 480 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:480 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L480 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 479 | } else { > 480 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 481 | } 482 | }

HIGH silent-process-exec-var: src/dev.js:480 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/5bf31ed5c22926d7c4d6ac05292c8e7ec634eb8a/src/dev.js#L480 478 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 479 | } else { > 480 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 481 | } 482 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.11

7 findings
HIGH silent-process-exec: src/dev.js:561 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L561 559 | const platform = process.platform; 560 | if (platform === 'darwin') { > 561 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 562 | } else if (platform === 'win32') { 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:561 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L561 559 | const platform = process.platform; 560 | if (platform === 'darwin') { > 561 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 562 | } else if (platform === 'win32') { 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:563 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L563 561 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 562 | } else if (platform === 'win32') { > 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 564 | } else { 565 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec-var: src/dev.js:563 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L563 561 | spawn('open', [url], { stdio: 'ignore', detached: true }).unref(); 562 | } else if (platform === 'win32') { > 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 564 | } else { 565 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref();

HIGH silent-process-exec: src/dev.js:565 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L565 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 564 | } else { > 565 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 566 | } 567 | }

HIGH silent-process-exec-var: src/dev.js:565 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zeropress-app/zeropress-theme/blob/8575e9994f2e7117a69848caab31091d215d3756/src/dev.js#L565 563 | spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true }).unref(); 564 | } else { > 565 | spawn('xdg-open', [url], { stdio: 'ignore', detached: true }).unref(); 566 | } 567 | }

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.