← Home

alepha

npm Repository Homepage

Easy-to-use modern TypeScript framework for building many kind of applications.

8
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

alepha

Keywords

alephaalephframeworkserverlessreactapi

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:shady-links-tlds AI (semgrep): URLs reference alepha.club (the package's own domain) in test fixtures — not C2 infrastructure. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in vendored swagger-ui-standalone-preset.js bundle; not authored code, well-known upstream library. ai
semgrep semgrep:hex-decode AI (semgrep): Used in CryptoProvider for key comparison — legitimate cryptographic operation. ai
semgrep semgrep:base64-decode AI (semgrep): Used in test file to decode JWT payload for assertion — not malicious. ai
semgrep semgrep:env-spread AI (semgrep): Used in CLI dev command to spawn child processes with env vars — standard and expected pattern for this framework. ai
phantom-deps phantom-dep:tsx AI (phantom-deps): tsx is a runtime dep used via config/CLI invocation, not direct import; false positive for this framework. ai
phantom-deps phantom-dep:typescript AI (phantom-deps): typescript used as compiler tooling via config, not direct import; false positive for this framework. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in ORM entity proxy — standard JS Proxy trap pattern. ai

Versions (showing 8 of 8)

Version Deps Published
0.20.4 11 / 28
0.20.3 10 / 27
0.20.2 10 / 24
0.20.1 10 / 24
0.19.5 10 / 24
0.19.4 10 / 24
0.19.3 10 / 24
0.19.2 11 / 23

v0.20.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.20.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.20.2

7 findings
HIGH env-spread: src/cli/core/commands/dev.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/cli/core/commands/dev.ts#L184 182 | cwd: app.path, 183 | stdio: "inherit", > 184 | env: { 185 | ...process.env, 186 | APP_NAME: app.name.toUpperCase(),

HIGH env-spread: src/cli/core/providers/ViteDevServerProvider.ts:482 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/cli/core/providers/ViteDevServerProvider.ts#L482 480 | 481 | // Snapshot and restore process.env to isolate each reload > 482 | const envSnapshot = { ...process.env }; 483 | await this.setupEnvironment(); 484 |

HIGH env-spread: src/core/Alepha.ts:164 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/core/Alepha.ts#L164 162 | // merge process.env with the state.env 163 | if (typeof process === "object" && typeof process.env === "object") { > 164 | state.env = { 165 | ...process.env, 166 | ...state.env,

HIGH env-spread: src/system/providers/NodeShellProvider.ts:69 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/system/providers/NodeShellProvider.ts#L69 67 | cwd: options.cwd, 68 | shell: true, > 69 | env: { ...process.env, ...options.env }, 70 | }) 71 | : spawn(executable, args, {

HIGH env-spread: src/system/providers/NodeShellProvider.ts:74 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/system/providers/NodeShellProvider.ts#L74 72 | stdio: "inherit", 73 | cwd: options.cwd, > 74 | env: { ...process.env, ...options.env }, 75 | }); 76 |

HIGH env-spread: src/system/providers/NodeShellProvider.ts:119 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/feunard/alepha/blob/a672ac9a2cf7d18e9e877c2334a7de8144608aea/src/system/providers/NodeShellProvider.ts#L119 117 | cwd: options.cwd, 118 | maxBuffer: 50 * 1024 * 1024, > 119 | env: { 120 | ...process.env, 121 | LOG_FORMAT: "pretty",

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.20.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.