@zintrust/core — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

diadal

Keywords

frameworktypescriptbackendormquery-builderrest-apireactreact-apivuevue-apisymfonylaravel

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:hex-decode	AI (semgrep): Hex decode used for AES-256-GCM IV and auth tag parsing — legitimate crypto pattern.	ai	2026/05/27
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall is a no-op process.exit(0); stable false positive for this package.	ai	2026/05/27
semgrep	semgrep:silent-process-exec	AI (semgrep): Detached spawn in VersionChecker is a self-restart pattern for CLI version upgrades, not a reverse shell.	ai	2026/05/26
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same VersionChecker self-restart context; benign for this package.	ai	2026/05/26
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get inside a Proxy get trap is idiomatic JS; not obfuscation.	ai	2026/05/22
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding JWT/auth token bodies in ServiceAuthMiddleware is standard auth middleware practice.	ai	2026/05/22
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped package @zintrust/core is a framework, not a typosquat of cors; name collision is coincidental.	ai	2026/05/22
phantom-deps	phantom-dep:@zintrust/workers	AI (phantom-deps): Same-org sibling package loaded by framework convention.	ai	2026/05/22
phantom-deps	phantom-dep:@cloudflare/containers	AI (phantom-deps): Framework-scoped Cloudflare package loaded by convention, not direct import.	ai	2026/05/22
phantom-deps	phantom-dep:bullmq	AI (phantom-deps): bullmq is a declared dependency used via config/convention in this framework.	ai	2026/05/22
semgrep	semgrep:env-spread	AI (semgrep): env-spread passes process.env to a child process spawn — standard CLI framework pattern, not exfiltration.	ai	2026/05/22
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All raw-IP references are localhost (127.0.0.1) log messages, not external network calls.	ai	2026/05/22
semgrep	semgrep:env-bulk-read	AI (semgrep): Reads process.env to build worker dev-vars config file — expected framework behavior.	ai	2026/05/22

Versions (showing 100 of 219)

Version	Deps	Published
2.5.0	12 / 0	2026-06-03
2.4.9	12 / 0	2026-06-02
2.4.8	12 / 0	2026-06-02
2.4.7	12 / 0	2026-06-01
2.4.6	12 / 0	2026-06-01
2.4.5	12 / 0	2026-06-01
2.4.4	12 / 0	2026-06-01
2.4.3	12 / 0	2026-06-01
2.4.2	12 / 0	2026-05-31
2.4.0	12 / 0	2026-05-30
2.3.1	12 / 0	2026-05-29
2.3.0	12 / 0	2026-05-29
2.2.9	12 / 0	2026-05-29
2.2.8	12 / 0	2026-05-29
2.2.7	12 / 0	2026-05-29
2.2.6	12 / 0	2026-05-28
2.2.5	12 / 0	2026-05-28
2.2.4	12 / 0	2026-05-28
2.2.3	12 / 0	2026-05-28
2.2.2	12 / 0	2026-05-28
2.2.1	12 / 0	2026-05-27
2.2.0	12 / 0	2026-05-27
2.1.9	10 / 0	2026-05-27
2.1.8	10 / 0	2026-05-27
2.1.7	10 / 0	2026-05-27
2.1.6	10 / 0	2026-05-27
2.1.5	10 / 0	2026-05-27
2.1.4	10 / 0	2026-05-27
2.1.3	10 / 0	2026-05-27
2.1.2	10 / 0	2026-05-26
2.1.1	10 / 0	2026-05-26
2.1.0	10 / 0	2026-05-25
2.0.8	10 / 0	2026-05-23
2.0.7	10 / 0	2026-05-22
2.0.6	10 / 0	2026-05-22
2.0.5	10 / 0	2026-05-22
2.0.4	10 / 0	2026-05-22
2.0.3	10 / 0	2026-05-22
2.0.2	10 / 0	2026-05-21
2.0.1	10 / 0	2026-05-21
2.0.0	10 / 0	2026-05-20
1.8.6	10 / 0	2026-05-19
1.8.5	10 / 0	2026-05-15
1.8.4	10 / 0	2026-05-15
1.8.3	10 / 0	2026-05-08
1.8.2	10 / 0	2026-05-06
1.8.1	10 / 0	2026-05-06
1.8.0	10 / 0	2026-05-04
1.7.3	10 / 0	2026-05-04
1.7.2	10 / 0	2026-05-02
1.7.1	10 / 0	2026-05-01
1.7.0	10 / 0	2026-04-30
1.6.4	10 / 0	2026-04-30
1.6.3	10 / 0	2026-04-30
1.6.2	10 / 0	2026-04-30
1.6.1	10 / 0	2026-04-30
1.6.0	10 / 0	2026-04-29
1.5.5	10 / 0	2026-04-29
1.5.4	10 / 0	2026-04-29
1.5.3	10 / 0	2026-04-27
1.5.2	10 / 0	2026-04-25
1.5.1	10 / 0	2026-04-25
1.5.0	10 / 0	2026-04-24
1.2.0	10 / 0	2026-04-24
0.9.6	10 / 0	2026-04-23
0.9.5	10 / 0	2026-04-23
0.9.4	10 / 0	2026-04-23
0.9.3	10 / 0	2026-04-22
0.9.2	10 / 0	2026-04-21
0.9.1	10 / 0	2026-04-21
0.9.0	10 / 0	2026-04-21
0.7.9	10 / 0	2026-04-20
0.7.8	10 / 0	2026-04-19
0.7.7	10 / 0	2026-04-19
0.7.3	10 / 0	2026-04-18
0.7.2	10 / 0	2026-04-18
0.7.0	9 / 0	2026-04-17
0.5.9	9 / 0	2026-04-14
0.5.8	9 / 0	2026-04-14
0.5.7	9 / 0	2026-04-13
0.5.5	9 / 0	2026-04-13
0.5.2	9 / 0	2026-04-12
0.5.1	9 / 0	2026-04-12
0.5.0	9 / 0	2026-04-12
0.4.101	9 / 0	2026-04-12
0.4.99	9 / 0	2026-04-12
0.4.98	9 / 0	2026-04-12
0.4.96	9 / 0	2026-04-11
0.4.95	9 / 0	2026-04-11
0.4.94	9 / 0	2026-04-11
0.4.93	9 / 0	2026-04-11
0.4.92	9 / 0	2026-04-10
0.4.91	9 / 0	2026-04-10
0.4.89	9 / 0	2026-04-09
0.4.88	9 / 0	2026-04-09
0.4.87	9 / 0	2026-04-09
0.4.86	9 / 0	2026-04-09
0.4.84	9 / 0	2026-04-08
0.4.83	9 / 0	2026-04-08
0.4.81	9 / 0	2026-04-08

Showing 100 of 219 Next page →

v2.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.8

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/f35b262607add5cc9470c5b94f72c266351c74e0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/f35b262607add5cc9470c5b94f72c266351c74e0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.7

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.6

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.5

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/455bcfda757e70b2e260edc095d53604233fcf5c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

3 findings

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/3c553e92f5636dabcd86e67190711a37c2f71f7c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/3c553e92f5636dabcd86e67190711a37c2f71f7c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:57 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },

HIGH env-spread: src/cli/commands/ProxyCommandUtils.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',

HIGH env-spread: src/cli/commands/StartCommand.js:338 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH env-spread: src/cli/commands/schedule/ScheduleCliSupport.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH env-spread: src/cli/services/VersionChecker.js:324 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/42896740b8394aceb9e86e962538156d99364bd9/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:57 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },

HIGH env-spread: src/cli/commands/ProxyCommandUtils.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',

HIGH env-spread: src/cli/commands/StartCommand.js:338 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH env-spread: src/cli/commands/schedule/ScheduleCliSupport.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH env-spread: src/cli/services/VersionChecker.js:324 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8a17870e9de6662992207ca8d5f0ec616cea089c/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:57 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },

HIGH env-spread: src/cli/commands/ProxyCommandUtils.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',

HIGH env-spread: src/cli/commands/StartCommand.js:338 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH env-spread: src/cli/commands/schedule/ScheduleCliSupport.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH env-spread: src/cli/services/VersionChecker.js:324 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/be96835b17346867149cdbeacddbbe21ff2de611/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.6

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:57 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },

HIGH env-spread: src/cli/commands/ProxyCommandUtils.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',

HIGH env-spread: src/cli/commands/StartCommand.js:338 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH env-spread: src/cli/commands/schedule/ScheduleCliSupport.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH env-spread: src/cli/services/VersionChecker.js:324 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/8fa7b1131103eb549562bafd416c1b56cdcc210a/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.5

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:57 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommand.js#L57 55 | command: 'tsx', 56 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 57 | env: { 58 | ...process.env, 59 | },

HIGH env-spread: src/cli/commands/ProxyCommandUtils.js:56 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommandUtils.js#L56 54 | command: 'tsx', 55 | args, > 56 | env: { 57 | ...process.env, 58 | ZINTRUST_PROXY_WATCH_CHILD: '1',

HIGH env-spread: src/cli/commands/StartCommand.js:338 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/StartCommand.js#L338 336 | throw ErrorFactory.createCliError("Error: No ZinTrust app found. Run 'zin new <project>' or ensure package.json exis 337 | }; > 338 | const buildStartEnv = (projectRoot) => ({ 339 | ...process.env, 340 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH env-spread: src/cli/commands/schedule/ScheduleCliSupport.js:161 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/schedule/ScheduleCliSupport.js#L161 159 | args: [reentryScript, ...process.argv.slice(2)], 160 | cwd: projectRoot, > 161 | env: { 162 | ...process.env, 163 | ZINTRUST_PROJECT_ROOT: projectRoot,

HIGH silent-process-exec: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH silent-process-exec-var: src/cli/services/VersionChecker.js:322 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L322 320 | } 321 | try { > 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, 324 | env: {

HIGH env-spread: src/cli/services/VersionChecker.js:324 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/services/VersionChecker.js#L324 322 | const child = spawn(process.execPath, [...process.execArgv, entrypoint, ...process.argv.slice(2)], { 323 | detached: true, > 324 | env: { 325 | ...process.env, 326 | [VERSION_CHECK_CHILD_ENV]: 'true',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.4

11 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.

HIGH env-spread: bin/zintrust-main.js:113 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/bin/zintrust-main.js#L113 111 | const child = spawn(process.execPath, childArgs, { 112 | stdio: 'inherit', > 113 | env: { 114 | ...process.env, 115 | [CLI_HANDOFF_ENV_KEY]: '1',

HIGH env-spread: src/cli/commands/D1LearnCommand.js:64 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/D1LearnCommand.js#L64 62 | const child = spawn(cmd, args, { 63 | stdio: 'inherit', > 64 | env: { 65 | ...process.env, 66 | ZT_D1_LEARN_FILE: LEARN_FILE,

HIGH env-spread: src/cli/commands/ProxyCommand.js:51 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ZinTrust/ZinTrust/blob/d9b259f44132625fdd83a07c020dffd845054fc0/src/cli/commands/ProxyCommand.js#L51 49 | command: 'tsx', 50 | args: [path.join('bin', 'zin.ts'), mapped, ...extra], > 51 | env: { 52 | ...process.env, 53 | },