@zibby/workflow-templates
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:handlebars | AI (dependencies): Handlebars is a well-known templating library; unvetted flag is a heuristic, no advisory present. | ai | |
| phantom-deps | phantom-dep:@anthropic-ai/sdk | AI (phantom-deps): @anthropic-ai/sdk was removed as a runtime dep in this version; phantom-dep finding is a stale artifact. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread used to pass environment to git subprocess — standard pattern, not credential exfiltration. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.7.1 | 6 / 3 | |
| 0.7.0 | 6 / 3 | |
| 0.4.2 | 5 / 3 | |
| 0.4.1 | 5 / 3 | |
| 0.2.1 | 5 / 3 | |
| 0.2.0 | 5 / 3 |
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
5 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/code-analysis/nodes/setup-node.js#L59 57 | if (isGithub && githubToken) { 58 | cloneUrl = repo.url.replace('https://github.com', `https://x-access-token:${githubToken}@github.com`); > 59 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 60 | } else if (isGitlab && gitlabToken && gitlabUrl) { 61 | try {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/code-analysis/nodes/setup-node.js#L67 65 | console.warn(`⚠️ Failed to parse GITLAB_URL: ${e.message}`); 66 | } > 67 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 68 | } 69 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/generate-test-cases/nodes/setup-node.js#L59 57 | if (isGithub && githubToken) { 58 | cloneUrl = repo.url.replace('https://github.com', `https://x-access-token:${githubToken}@github.com`); > 59 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 60 | } else if (isGitlab && gitlabToken && gitlabUrl) { 61 | try {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/generate-test-cases/nodes/setup-node.js#L67 65 | console.warn(`⚠️ Failed to parse GITLAB_URL: ${e.message}`); 66 | } > 67 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 68 | } 69 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
5 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/code-analysis/nodes/setup-node.js#L59 57 | if (isGithub && githubToken) { 58 | cloneUrl = repo.url.replace('https://github.com', `https://x-access-token:${githubToken}@github.com`); > 59 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 60 | } else if (isGitlab && gitlabToken && gitlabUrl) { 61 | try {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/code-analysis/nodes/setup-node.js#L67 65 | console.warn(`⚠️ Failed to parse GITLAB_URL: ${e.message}`); 66 | } > 67 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 68 | } 69 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/generate-test-cases/nodes/setup-node.js#L59 57 | if (isGithub && githubToken) { 58 | cloneUrl = repo.url.replace('https://github.com', `https://x-access-token:${githubToken}@github.com`); > 59 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 60 | } else if (isGitlab && gitlabToken && gitlabUrl) { 61 | try {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZibbyHQ/workflow-templates/blob/14bb267ae7d36adebdc4c305d8b6effa8a35df5d/generate-test-cases/nodes/setup-node.js#L67 65 | console.warn(`⚠️ Failed to parse GITLAB_URL: ${e.message}`); 66 | } > 67 | cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_ASKPASS: 'echo' }; 68 | } 69 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.