← Home

@zokugun/vscode-utils

npm Repository Homepage

Some utilities for VSCode extensions

3
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

daiyam

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:silent-process-exec AI (semgrep): Detached spawn is used to relaunch a macOS app via osascript — documented VSCode extension restart utility, not malicious. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same osascript restart-app pattern; detached/ignored stdio is required for the app relaunch to survive the parent process. ai
semgrep semgrep:child-process-import AI (semgrep): child_process is imported solely for the app-restart utility; expected for this package's purpose. ai

Versions (showing 3 of 3)

Version Deps Published
0.3.1 2 / 13
0.3.0 2 / 11
0.2.0 1 / 12

v0.3.1

9 findings
HIGH silent-process-exec: lib/esm/restart-app.mjs:37 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L37 35 | return binary; 36 | } > 37 | spawn('osascript', ['-e', `quit app "${nameLong}"`, '-e', 'delay 1', '-e', `do shell script quoted form of "${binary 38 | detached: true, 39 | stdio: 'ignore',

HIGH silent-process-exec-var: lib/esm/restart-app.mjs:37 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L37 35 | return binary; 36 | } > 37 | spawn('osascript', ['-e', `quit app "${nameLong}"`, '-e', 'delay 1', '-e', `do shell script quoted form of "${binary 38 | detached: true, 39 | stdio: 'ignore',

HIGH silent-process-exec: lib/esm/restart-app.mjs:53 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L53 51 | return binary; 52 | } > 53 | spawn(process.env.comspec ?? 'cmd', [`/C taskkill /F /IM ${exeName} >nul && timeout /T 1 && "${binary.value}"`], { 54 | detached: true, 55 | stdio: 'ignore',

HIGH silent-process-exec-var: lib/esm/restart-app.mjs:53 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L53 51 | return binary; 52 | } > 53 | spawn(process.env.comspec ?? 'cmd', [`/C taskkill /F /IM ${exeName} >nul && timeout /T 1 && "${binary.value}"`], { 54 | detached: true, 55 | stdio: 'ignore',

HIGH silent-process-exec: lib/esm/restart-app.mjs:77 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L77 75 | } 76 | const pid = process.env.VSCODE_PID; > 77 | spawn('/bin/sh', ['-c', `kill -15 ${pid} && sleep 1 && (kill -9 ${pid} && sleep 1 || true) && "${binary}"`], { 78 | detached: true, 79 | stdio: 'ignore',

HIGH silent-process-exec-var: lib/esm/restart-app.mjs:77 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L77 75 | } 76 | const pid = process.env.VSCODE_PID; > 77 | spawn('/bin/sh', ['-c', `kill -15 ${pid} && sleep 1 && (kill -9 ${pid} && sleep 1 || true) && "${binary}"`], { 78 | detached: true, 79 | stdio: 'ignore',

HIGH silent-process-exec: lib/esm/restart-app.mjs:91 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L91 89 | return binary; 90 | } > 91 | spawn('/bin/sh', ['-c', `killall "${process.execPath}" && sleep 1 && killall -9 "${process.execPath}" && sleep 1 92 | detached: true, 93 | stdio: 'ignore',

HIGH silent-process-exec-var: lib/esm/restart-app.mjs:91 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/zokugun/vscode-utils/blob/1d7c8041340af0c58136426d62125977b742e8ce/lib/esm/restart-app.mjs#L91 89 | return binary; 90 | } > 91 | spawn('/bin/sh', ['-c', `killall "${process.execPath}" && sleep 1 && killall -9 "${process.execPath}" && sleep 1 92 | detached: true, 93 | stdio: 'ignore',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.