← Home

transloadit

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

tim-koskvzmifi

Keywords

transloadittusresumable-uploaduploadfile-processingassemblyassembliestemplatetemplatesencodingtranscodingvideoimageaudiomp3clitypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Used to snapshot env state before/after dotenv loading — not exfiltration. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get used for safe dynamic property access on typed assembly object — not obfuscation. ai
semgrep semgrep:base64-decode AI (semgrep): Simple utility function for decoding base64 input data — no payload hiding. ai
phantom-deps phantom-dep:@aws-sdk/client-s3 AI (phantom-deps): AWS SDK deps are declared in package.json and used by convention/framework loading. ai
phantom-deps phantom-dep:@aws-sdk/s3-request-presigner AI (phantom-deps): AWS SDK deps are declared in package.json and used by convention/framework loading. ai

Versions (showing 8 of 8)

Version Deps Published
4.10.6 20 / 3
4.10.5 20 / 3
4.10.4 20 / 3
4.10.3 20 / 3
4.10.2 20 / 3
4.10.1 20 / 3
4.10.0 22 / 5
4.9.1 22 / 5

v4.10.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.4

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/e8f6f441a379c37613ef2f02b33a26ab00ed7385/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/e8f6f441a379c37613ef2f02b33a26ab00ed7385/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/e8f6f441a379c37613ef2f02b33a26ab00ed7385/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.3

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/048a1ebd72dac24aec14d6abeb1114f8af828485/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/048a1ebd72dac24aec14d6abeb1114f8af828485/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/048a1ebd72dac24aec14d6abeb1114f8af828485/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.2

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/d14eaccf50ce93b12f22c73b4b4c97633bf43e3d/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/d14eaccf50ce93b12f22c73b4b4c97633bf43e3d/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/d14eaccf50ce93b12f22c73b4b4c97633bf43e3d/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.1

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/57c4a6c3b54ca039e6c70e9245f610045c00749a/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/57c4a6c3b54ca039e6c70e9245f610045c00749a/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/57c4a6c3b54ca039e6c70e9245f610045c00749a/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.10.0

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/264c7054c2c7ac069237501f8ae8e2a45eb961f4/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/264c7054c2c7ac069237501f8ae8e2a45eb961f4/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/264c7054c2c7ac069237501f8ae8e2a45eb961f4/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.9.1

4 findings
HIGH env-spread: src/cli/helpers.ts:112 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/2c6e3ec5583e121b72fdfb800a6523ef166e34eb/src/cli/helpers.ts#L112 110 | if (loadedProjectDotenvPath !== projectDotenvPath) { 111 | restoreProjectDotenvFromProcessEnv() > 112 | shellEnvBeforeProjectDotenv = { ...process.env } 113 | loadedProjectDotenvPath = projectDotenvPath 114 | }

HIGH env-spread: src/cli/helpers.ts:147 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/2c6e3ec5583e121b72fdfb800a6523ef166e34eb/src/cli/helpers.ts#L147 145 | } 146 | > 147 | return { ...process.env } 148 | } 149 |

HIGH env-spread: src/cli/helpers.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/transloadit/node-sdk/blob/2c6e3ec5583e121b72fdfb800a6523ef166e34eb/src/cli/helpers.ts#L184 182 | { 183 | name: 'env', > 184 | values: { ...process.env }, 185 | }, 186 | ]

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.