← Home

glimpseui

npm Repository Homepage
3
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

haza

Keywords

macoslinuxwindowswebviewnativeuiwebkitwkwebviewwebview2gtkswiftguiagentdialogpromptoverlaypi-package

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:silent-process-exec AI (semgrep): Fires in examples/companion/index.ts — example code showing companion process spawning, not library runtime. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same example file; not in library runtime code path. ai
install-scripts install-script:postinstall AI (install-scripts): Native WebView binding (Swift/GTK/.NET) legitimately needs postinstall to build/fetch platform binaries. ai

Versions (showing 3 of 3)

Version Deps Published
0.8.1 0 / 0
0.8.0 0 / 0
0.3.1 0 / 0

v0.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.mjs

HIGH silent-process-exec: examples/companion/index.ts:99 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/hazat/glimpse/blob/a86df317a74da2b5c0fe0cc85a531cb79c879bef/examples/companion/index.ts#L99 97 | 98 | // Spawn companion and retry > 99 | const child = spawn(process.execPath, [COMPANION_PATH], { 100 | detached: true, 101 | stdio: "ignore",

HIGH silent-process-exec-var: examples/companion/index.ts:99 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/hazat/glimpse/blob/a86df317a74da2b5c0fe0cc85a531cb79c879bef/examples/companion/index.ts#L99 97 | 98 | // Spawn companion and retry > 99 | const child = spawn(process.execPath, [COMPANION_PATH], { 100 | detached: true, 101 | stdio: "ignore",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.1

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: npm run build

HIGH silent-process-exec: pi-extension/index.ts:67 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/hjanuschka/glimpse/blob/452c5e6f8034f23e47dbff7e5bb40e65fb8f9bb4/pi-extension/index.ts#L67 65 | 66 | // Spawn companion and retry > 67 | const child = spawn("node", [COMPANION_PATH], { 68 | detached: true, 69 | stdio: "ignore",

HIGH silent-process-exec-var: pi-extension/index.ts:67 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/hjanuschka/glimpse/blob/452c5e6f8034f23e47dbff7e5bb40e65fb8f9bb4/pi-extension/index.ts#L67 65 | 66 | // Spawn companion and retry > 67 | const child = spawn("node", [COMPANION_PATH], { 68 | detached: true, 69 | stdio: "ignore",

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.