mia-co
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a test script passing env to child process — standard pattern, not exfiltration. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): ora is a declared runtime dep; phantom-dep heuristic fires due to indirect import pattern. | ai | |
| phantom-deps | phantom-dep:coaiajs | AI (phantom-deps): coaiajs is a declared runtime dep; phantom-dep heuristic fires due to indirect import pattern. | ai | |
| phantom-deps | phantom-dep:enquirer | AI (phantom-deps): enquirer is a declared runtime dep; phantom-dep heuristic fires due to indirect import pattern. | ai |
Versions (showing 51 of 58)
| Version | Deps | Published |
|---|---|---|
| 0.12.7 | 6 / 3 | |
| 0.12.6 | 6 / 3 | |
| 0.12.5 | 6 / 3 | |
| 0.12.4 | 6 / 3 | |
| 0.12.3 | 6 / 3 | |
| 0.12.2 | 6 / 3 | |
| 0.12.1 | 5 / 3 | |
| 0.12.0 | 5 / 3 | |
| 0.11.4 | 5 / 3 | |
| 0.11.3 | 5 / 3 | |
| 0.11.2 | 5 / 3 | |
| 0.11.1 | 5 / 3 | |
| 0.11.0 | 5 / 3 | |
| 0.10.0 | 5 / 3 | |
| 0.9.4 | 5 / 3 | |
| 0.9.3 | 5 / 3 | |
| 0.9.2 | 5 / 3 | |
| 0.9.1 | 5 / 3 | |
| 0.9.0 | 5 / 3 | |
| 0.8.8 | 5 / 3 | |
| 0.8.7 | 5 / 3 | |
| 0.8.6 | 5 / 3 | |
| 0.8.5 | 5 / 3 | |
| 0.8.4 | 5 / 3 | |
| 0.8.3 | 5 / 3 | |
| 0.8.2 | 5 / 3 | |
| 0.8.1 | 5 / 3 | |
| 0.8.0 | 5 / 3 | |
| 0.7.7 | 5 / 3 | |
| 0.7.6 | 5 / 3 | |
| 0.7.5 | 5 / 3 | |
| 0.7.4 | 5 / 3 | |
| 0.7.3 | 5 / 3 | |
| 0.7.2 | 5 / 3 | |
| 0.7.1 | 5 / 3 | |
| 0.7.0 | 5 / 3 | |
| 0.6.4 | 5 / 3 | |
| 0.6.3 | 5 / 3 | |
| 0.6.2 | 5 / 3 | |
| 0.6.1 | 5 / 3 | |
| 0.6.0 | 5 / 3 | |
| 0.5.7 | 5 / 3 | |
| 0.5.6 | 5 / 3 | |
| 0.5.5 | 5 / 3 | |
| 0.5.4 | 5 / 3 | |
| 0.5.3 | 5 / 3 | |
| 0.5.2 | 5 / 3 | |
| 0.5.1 | 5 / 3 | |
| 0.3.3 | 5 / 3 | |
| 0.3.2 | 5 / 3 | |
| 0.3.1 | 5 / 3 |
v0.12.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jgi.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/jgwill/mia-co/blob/c3e71deaa9d362a7116820a4bea9e466d46ada1d/scripts/verify-miadi-foundation-contract.mjs#L63 61 | { 62 | cwd: process.cwd(), > 63 | env: { ...process.env, ...env }, 64 | encoding: "utf-8", 65 | stdio: ["ignore", "pipe", "pipe"],
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/jgwill/mia-co/blob/9be9286c88ebaacb179865c530857879ae853c42/scripts/verify-miadi-foundation-contract.mjs#L63 61 | { 62 | cwd: process.cwd(), > 63 | env: { ...process.env, ...env }, 64 | encoding: "utf-8", 65 | stdio: ["ignore", "pipe", "pipe"],
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/jgwill/mia-co/blob/a95b5682b0365aca44cbf656a2e9443ed28b41ad/scripts/verify-miadi-foundation-contract.mjs#L63 61 | { 62 | cwd: process.cwd(), > 63 | env: { ...process.env, ...env }, 64 | encoding: "utf-8", 65 | stdio: ["ignore", "pipe", "pipe"],
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.