← Home

vite-envs

npm Repository Homepage
5
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

garronej

Keywords

reactviteenvironment-variablestypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff encoded-string-file:index.js AI (source-diff): Encoded string is the llhttp WASM binary, a standard bundled HTTP parser dependency — not malicious. ai
source-diff encoded-string-file:bin/main.js AI (source-diff): Same llhttp WASM binary in the bundled CLI entry point — benign bundled dependency. ai
semgrep semgrep:env-spread AI (semgrep): Passes process.env to child vite process — required for dev-server spawning, not exfiltration. ai
semgrep semgrep:env-bulk-read AI (semgrep): Enumerates process.env but immediately filters to declared keys only — core feature of an env-var injection tool. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding is a documented feature for encoding env values in .env files, not payload hiding. ai

Versions (showing 5 of 5)

Version Deps Published
4.7.2 0 / 20
4.7.1 0 / 20
4.7.0 0 / 20
4.6.2 0 / 20
4.6.1 0 / 20

v4.7.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.0

4 findings
HIGH Publisher changed: garronej → GitHub Actions (on 2026-06-08) provenance

This version was published by a different npm account than previous versions on 2026-06-08. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Long encoded string in modified file: index.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: bin/main.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.2

2 findings
HIGH env-spread: src/bin/updateTypes.ts:6 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/garronej/vite-envs/blob/3007301f348848a5fbe5886de9f313f188cab95c/src/bin/updateTypes.ts#L6 4 | export async function updateTypes(): Promise<void> { 5 | const child = child_process.spawn("npx", ["vite", "dev"], { > 6 | env: { 7 | ...process.env, 8 | [updateTypingScriptEnvName]: ""

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.6.1

2 findings
HIGH env-spread: src/bin/updateTypes.ts:6 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/garronej/vite-envs/blob/8b201dfc737fc9d1b357c8c6850063563c1a5058/src/bin/updateTypes.ts#L6 4 | export async function updateTypes(): Promise<void> { 5 | const child = child_process.spawn("npx", ["vite", "dev"], { > 6 | env: { 7 | ...process.env, 8 | [updateTypingScriptEnvName]: ""

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.