@zintrust/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode used for AES-256-GCM IV and auth tag parsing — legitimate crypto pattern. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall is a no-op process.exit(0); stable false positive for this package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn in VersionChecker is a self-restart pattern for CLI version upgrades, not a reverse shell. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same VersionChecker self-restart context; benign for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get inside a Proxy get trap is idiomatic JS; not obfuscation. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding JWT/auth token bodies in ServiceAuthMiddleware is standard auth middleware practice. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @zintrust/core is a framework, not a typosquat of cors; name collision is coincidental. | ai | |
| phantom-deps | phantom-dep:@zintrust/workers | AI (phantom-deps): Same-org sibling package loaded by framework convention. | ai | |
| phantom-deps | phantom-dep:@cloudflare/containers | AI (phantom-deps): Framework-scoped Cloudflare package loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:bullmq | AI (phantom-deps): bullmq is a declared dependency used via config/convention in this framework. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread passes process.env to a child process spawn — standard CLI framework pattern, not exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw-IP references are localhost (127.0.0.1) log messages, not external network calls. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads process.env to build worker dev-vars config file — expected framework behavior. | ai |
Versions (showing 51 of 219)
| Version | Deps | Published |
|---|---|---|
| 2.5.0 | 12 / 0 | |
| 2.4.9 | 12 / 0 | |
| 2.4.8 | 12 / 0 | |
| 2.4.7 | 12 / 0 | |
| 2.4.6 | 12 / 0 | |
| 2.4.5 | 12 / 0 | |
| 2.4.4 | 12 / 0 | |
| 2.4.3 | 12 / 0 | |
| 2.4.2 | 12 / 0 | |
| 2.4.0 | 12 / 0 | |
| 2.3.1 | 12 / 0 | |
| 2.3.0 | 12 / 0 | |
| 2.2.9 | 12 / 0 | |
| 2.2.8 | 12 / 0 | |
| 2.2.7 | 12 / 0 | |
| 2.2.6 | 12 / 0 | |
| 2.2.5 | 12 / 0 | |
| 2.2.4 | 12 / 0 | |
| 2.2.3 | 12 / 0 | |
| 2.2.2 | 12 / 0 | |
| 2.2.1 | 12 / 0 | |
| 2.2.0 | 12 / 0 | |
| 2.1.9 | 10 / 0 | |
| 2.1.8 | 10 / 0 | |
| 2.1.7 | 10 / 0 | |
| 2.1.6 | 10 / 0 | |
| 2.1.5 | 10 / 0 | |
| 2.1.4 | 10 / 0 | |
| 2.1.3 | 10 / 0 | |
| 2.1.2 | 10 / 0 | |
| 2.1.1 | 10 / 0 | |
| 2.1.0 | 10 / 0 | |
| 2.0.8 | 10 / 0 | |
| 2.0.7 | 10 / 0 | |
| 2.0.6 | 10 / 0 | |
| 2.0.5 | 10 / 0 | |
| 2.0.4 | 10 / 0 | |
| 2.0.3 | 10 / 0 | |
| 2.0.2 | 10 / 0 | |
| 2.0.1 | 10 / 0 | |
| 2.0.0 | 10 / 0 | |
| 1.8.6 | 10 / 0 | |
| 1.8.5 | 10 / 0 | |
| 1.8.4 | 10 / 0 | |
| 1.8.3 | 10 / 0 | |
| 1.8.2 | 10 / 0 | |
| 1.8.1 | 10 / 0 | |
| 1.8.0 | 10 / 0 | |
| 1.7.3 | 10 / 0 | |
| 1.7.2 | 10 / 0 | |
| 1.7.1 | 10 / 0 |
v2.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.8
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/f35b262607add5cc9470c5b94f72c266351c74e0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/f35b262607add5cc9470c5b94f72c266351c74e0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/3c553e92f5636dabcd86e67190711a37c2f71f7c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/3c553e92f5636dabcd86e67190711a37c2f71f7c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.6
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.5
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.4
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.3
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b622471e9f07b320878e6fcd0ebb3205304a6c1f/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.2
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.1
11 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/99293a2451e5613118cb48929438e0b9243a734b/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
8 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/b1d6ed3442697e758b2c318dff1cec29c8a428c7/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.3
8 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/aef25156df5d324be32e79a950fad4fffc610afe/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.2
8 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/6ba94c7b1f02f330e228e58e529a07c378663e69/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.1
8 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/bin/zintrust-main.js#L108 106 | const child = spawn(process.execPath, [target.binPath, ...rawArgs], { 107 | stdio: 'inherit', > 108 | env: { 109 | ...process.env, 110 | [CLI_HANDOFF_ENV_KEY]: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/ef4e9becb182b8010ede9f50bd786d1b0f6840bd/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.