← Home

vectra

npm Repository Homepage
9
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

stevenic

Keywords

vector-databaseembeddingssemantic-searchragretrieval-augmented-generationopenaiazure-openaitransformerslocal-embeddingscosine-similaritybm25hybrid-searchlocal-databasellmaibrowserelectron

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): gpt-tokenizer is a legitimate, well-known package; adding it to a vector DB with OpenAI integration is expected and benign. ai
phantom-deps phantom-dep:@paztis/gpt-3-encoder AI (phantom-deps): Declared dependency used as a drop-in replacement for gpt-3-encoder; phantom-dep heuristic fires because it may be referenced indirectly or in config rather than directly imported. ai
semgrep semgrep:child-process-import AI (semgrep): child_process is imported in test spec files for CLI integration testing, and in the CLI itself for daemon mode. Both are legitimate uses for this CLI tool. ai
semgrep semgrep:silent-process-exec AI (semgrep): This is a legitimate daemon-mode implementation: spawns the same Node.js CLI script with the same args minus --daemon. Not a reverse shell or miner. ai
phantom-deps phantom-dep:openai AI (phantom-deps): openai is a declared runtime dependency for the vector database's OpenAI integration; phantom-dep fires because it's not imported in the main library entry point. ai
phantom-deps phantom-dep:dotenv AI (phantom-deps): dotenv is a declared runtime dependency used by the CLI for environment configuration; phantom-dep fires because it's not imported in the library entry point. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same daemon-mode spawn pattern as silent-process-exec; process.execPath and process.argv[1] are the current Node binary and CLI script, not attacker-controlled. ai

Versions (showing 9 of 9)

Version Deps Published
0.15.0 13 / 24
0.14.0 13 / 24
0.12.3 11 / 17
0.12.2 11 / 14
0.12.1 11 / 15
0.12.0 11 / 15
0.11.1 11 / 12
0.11.0 10 / 12
0.10.1 10 / 12

v0.15.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.14.0

5 findings
HIGH silent-process-exec: lib/vectra-cli.js:648 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Stevenic/vectra/blob/2c026e8e45cda87496884d79205bda6593060e16/lib/vectra-cli.js#L648 646 | const { spawn } = require('child_process'); 647 | const cliArgs = process.argv.slice(2).filter(a => a !== '--daemon'); > 648 | const child = spawn(process.execPath, [process.argv[1], ...cliArgs], { 649 | detached: true, 650 | stdio: 'ignore',

HIGH silent-process-exec-var: lib/vectra-cli.js:648 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Stevenic/vectra/blob/2c026e8e45cda87496884d79205bda6593060e16/lib/vectra-cli.js#L648 646 | const { spawn } = require('child_process'); 647 | const cliArgs = process.argv.slice(2).filter(a => a !== '--daemon'); > 648 | const child = spawn(process.execPath, [process.argv[1], ...cliArgs], { 649 | detached: true, 650 | stdio: 'ignore',

HIGH silent-process-exec: src/vectra-cli.ts:607 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Stevenic/vectra/blob/2c026e8e45cda87496884d79205bda6593060e16/src/vectra-cli.ts#L607 605 | const { spawn } = require('child_process'); 606 | const cliArgs = process.argv.slice(2).filter(a => a !== '--daemon'); > 607 | const child = spawn(process.execPath, [process.argv[1], ...cliArgs], { 608 | detached: true, 609 | stdio: 'ignore',

HIGH silent-process-exec-var: src/vectra-cli.ts:607 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/Stevenic/vectra/blob/2c026e8e45cda87496884d79205bda6593060e16/src/vectra-cli.ts#L607 605 | const { spawn } = require('child_process'); 606 | const cliArgs = process.argv.slice(2).filter(a => a !== '--daemon'); > 607 | const child = spawn(process.execPath, [process.argv[1], ...cliArgs], { 608 | detached: true, 609 | stdio: 'ignore',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.