← Home

docdex

npm Repository Homepage

Local-first documentation and code indexer with HTTP/MCP search, AST, and agent memory.

5
Versions
MIT
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

bekirdag

Keywords

docdexdocumentationsearchindexcode-searchmcpaiagentragknowledge-basecli

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:postinstall AI (install-scripts): Postinstall fetches prebuilt binaries for multi-OS/CPU targets; consistent with documented install flow and SLSA provenance. ai
semgrep semgrep:env-spread AI (semgrep): env-spread is used to pass inherited environment to a child process spawn — standard pattern, not exfiltration. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP is 127.0.0.1 (localhost) for MCP stdio bridge default — not an external endpoint. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decode used for release signature verification in release_signing.js — legitimate cryptographic use. ai

Versions (showing 5 of 5)

Version Deps Published
0.2.74 1 / 0
0.2.73 1 / 0
0.2.71 1 / 0
0.2.70 1 / 0
0.2.59 1 / 0

v0.2.74

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.73

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.71

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.70

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node ./lib/install.js

HIGH env-spread: bin/docdex.js:242 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/bekirdag/docdex/blob/323832c75f62eba8ac450c6017c69c801ca6e704/bin/docdex.js#L242 240 | }); 241 | > 242 | const env = { ...process.env }; 243 | const child = spawn(binaryPath, process.argv.slice(2), { stdio: "inherit", env }); 244 | child.on("exit", (code) => process.exit(code ?? 1));

HIGH env-spread: lib/cli_entry.js:242 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/bekirdag/docdex/blob/323832c75f62eba8ac450c6017c69c801ca6e704/lib/cli_entry.js#L242 240 | }); 241 | > 242 | const env = { ...process.env }; 243 | const child = spawn(binaryPath, process.argv.slice(2), { stdio: "inherit", env }); 244 | child.on("exit", (code) => process.exit(code ?? 1));

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.59

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.