repomix
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@secretlint/secretlint-rule-preset-recommend | AI (dependencies): secretlint is a well-known secret scanning tool; used legitimately for lint-secretlint script. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a well-known templating library; stable legitimate dependency for this package. | ai | |
| phantom-deps | phantom-dep:tree-sitter-wasms | AI (phantom-deps): tree-sitter-wasms is a platform-specific binary package; declared as runtime dep for native tree-sitter WASM support, not directly imported in JS. | ai | |
| provenance | no-provenance | AI (provenance): Established package with public GitHub repo; lack of Sigstore attestation is not a risk signal here. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is used only to pass process.env + GIT_TERMINAL_PROMPT=0 to git subprocess; no secret exfiltration risk. | ai | |
| phantom-deps | phantom-dep:@repomix/tree-sitter-wasms | AI (phantom-deps): Platform-specific binary package; indirect import pattern is expected and stable. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.14.0 | 27 / 16 | |
| 1.13.0 | 26 / 15 | |
| 1.11.0 | 26 / 14 | |
| 1.10.2 | 26 / 14 | |
| 1.9.1 | 25 / 14 |
v1.14.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/yamadashy/repomix/blob/7dfd2b96657cc88ff60b8ec1fd88b467aa1f8aba/lib/core/git/gitCommand.js#L9 7 | const execFileAsync = promisify(execFile); 8 | const GIT_REMOTE_TIMEOUT = 30000; > 9 | const gitRemoteEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0' }; 10 | const gitRemoteOpts = { timeout: GIT_REMOTE_TIMEOUT, env: gitRemoteEnv }; 11 | export const execGitLogFilenames = async (directory, maxCommits = 100, deps = {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/yamadashy/repomix/blob/7dfd2b96657cc88ff60b8ec1fd88b467aa1f8aba/lib/shared/processConcurrency.js#L39 37 | logger.trace(`Initializing worker pool with min=${minThreads}, max=${maxThreads} threads, runtime=${runtime}. Worker 38 | const startTime = process.hrtime.bigint(); > 39 | const pool = new Tinypool({ 40 | filename: workerPath, 41 | runtime,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/yamadashy/repomix/blob/7dfd2b96657cc88ff60b8ec1fd88b467aa1f8aba/lib/shared/processConcurrency.js#L51 49 | }, 50 | ...(runtime === 'child_process' && { > 51 | env: { 52 | ...process.env, 53 | REPOMIX_WORKER_TYPE: workerType,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.