@forwardimpact/libeval
Agent evaluation framework — prove whether agent changes improved outcomes with reproducible evidence.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in benchmark spawn helper — passing process.env to child processes is idiomatic and not exfiltration. | ai | |
| provenance | no-provenance | AI (provenance): Consistent across all @forwardimpact packages; org does not use Sigstore attestation. | ai |
Versions (showing 51 of 57)
| Version | Deps | Published |
|---|---|---|
| 0.1.62 | 9 / 1 | |
| 0.1.61 | 9 / 1 | |
| 0.1.60 | 9 / 1 | |
| 0.1.59 | 9 / 1 | |
| 0.1.58 | 9 / 1 | |
| 0.1.57 | 9 / 1 | |
| 0.1.56 | 9 / 1 | |
| 0.1.55 | 9 / 1 | |
| 0.1.54 | 9 / 1 | |
| 0.1.53 | 9 / 1 | |
| 0.1.52 | 9 / 1 | |
| 0.1.51 | 9 / 1 | |
| 0.1.50 | 9 / 1 | |
| 0.1.49 | 9 / 1 | |
| 0.1.48 | 9 / 1 | |
| 0.1.47 | 9 / 1 | |
| 0.1.46 | 8 / 1 | |
| 0.1.45 | 6 / 1 | |
| 0.1.44 | 6 / 1 | |
| 0.1.43 | 6 / 1 | |
| 0.1.42 | 6 / 1 | |
| 0.1.41 | 6 / 1 | |
| 0.1.39 | 6 / 1 | |
| 0.1.38 | 6 / 1 | |
| 0.1.36 | 5 / 1 | |
| 0.1.35 | 5 / 1 | |
| 0.1.34 | 5 / 1 | |
| 0.1.33 | 5 / 1 | |
| 0.1.32 | 5 / 1 | |
| 0.1.31 | 5 / 1 | |
| 0.1.30 | 5 / 1 | |
| 0.1.28 | 5 / 1 | |
| 0.1.27 | 5 / 1 | |
| 0.1.26 | 5 / 1 | |
| 0.1.25 | 5 / 1 | |
| 0.1.24 | 5 / 1 | |
| 0.1.23 | 5 / 1 | |
| 0.1.22 | 5 / 1 | |
| 0.1.21 | 5 / 0 | |
| 0.1.20 | 5 / 0 | |
| 0.1.19 | 5 / 0 | |
| 0.1.18 | 5 / 0 | |
| 0.1.17 | 5 / 0 | |
| 0.1.16 | 5 / 0 | |
| 0.1.15 | 4 / 0 | |
| 0.1.14 | 3 / 0 | |
| 0.1.13 | 3 / 0 | |
| 0.1.12 | 3 / 0 | |
| 0.1.11 | 3 / 0 | |
| 0.1.9 | 1 / 0 | |
| 0.1.8 | 1 / 0 |
v0.1.62
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.61
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.60
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.58
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.57
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.51
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/aa5439f385cf6f7eacca7dd4c1db23304a6d753b/src/benchmark/invariants.js#L54 52 | 53 | const child = spawn(script, [], { > 54 | env: { 55 | ...process.env, 56 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/aa5439f385cf6f7eacca7dd4c1db23304a6d753b/src/benchmark/workdir.js#L166 164 | const child = spawn(script, [], { 165 | cwd, > 166 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 167 | detached: true, 168 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.50
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d265b9b6c6674ac7bd5289236a6f7c15abc8aa2f/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d265b9b6c6674ac7bd5289236a6f7c15abc8aa2f/src/benchmark/workdir.js#L151 149 | const child = spawn(script, [], { 150 | cwd, > 151 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 152 | detached: true, 153 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.49
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/5d7a7f8714eb0a558603f5750116a3218cdbc65d/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/5d7a7f8714eb0a558603f5750116a3218cdbc65d/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.48
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/32341698d6f0896fe8cf5823377aca5e47b6ffc8/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/32341698d6f0896fe8cf5823377aca5e47b6ffc8/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.47
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/51e25d5fb29918122fd1c8cdf3724f7b3fbb3e4f/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/51e25d5fb29918122fd1c8cdf3724f7b3fbb3e4f/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.46
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f41ed07f18a1afdc91f3548e5c8db4cd5a01f650/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f41ed07f18a1afdc91f3548e5c8db4cd5a01f650/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.45
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/def1eaad908b37024b7a53b173934143a97abd59/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/def1eaad908b37024b7a53b173934143a97abd59/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.44
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/8b70d4ed32b5c2465e0a6371e7f64fae0c6f497e/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/8b70d4ed32b5c2465e0a6371e7f64fae0c6f497e/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.43
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/3b5fac38733c9066307c19dcbea9cae9ce8f637e/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/3b5fac38733c9066307c19dcbea9cae9ce8f637e/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.42
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d029579643dc3094464725f585cad4d0f71b7543/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/d029579643dc3094464725f585cad4d0f71b7543/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.41
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/09702838cd2cef6590b5df119677013c36869f08/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/09702838cd2cef6590b5df119677013c36869f08/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.39
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/00ad21526d1dedf924409d63ecc1625dfebad0d3/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/00ad21526d1dedf924409d63ecc1625dfebad0d3/src/benchmark/workdir.js#L146 144 | const child = spawn(script, [], { 145 | cwd, > 146 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 147 | detached: true, 148 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.38
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f48941c2dc7eb7f3813fe648888ea1aec3106a66/src/benchmark/scorer.js#L49 47 | 48 | const child = spawn(script, [], { > 49 | env: { 50 | ...process.env, 51 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/f48941c2dc7eb7f3813fe648888ea1aec3106a66/src/benchmark/workdir.js#L134 132 | const child = spawn(script, [], { 133 | cwd, > 134 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 135 | detached: true, 136 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.36
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/25c7aba5f43d670f0ede6ac3f95c9c307fd7ef20/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/25c7aba5f43d670f0ede6ac3f95c9c307fd7ef20/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.35
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/0729d376bfa9e6fccf7ee6258f01f0542e05d850/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/0729d376bfa9e6fccf7ee6258f01f0542e05d850/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.34
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/082a6b9da85599cfd2993da220280c6869be319b/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/082a6b9da85599cfd2993da220280c6869be319b/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.33
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/57e91a3e4369ea573f5aad5b6dcb732f4d6d0e34/src/benchmark/scorer.js#L52 50 | 51 | const child = spawn(script, [], { > 52 | env: { 53 | ...process.env, 54 | WORKDIR: ctx.cwd,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/forwardimpact/monorepo/blob/57e91a3e4369ea573f5aad5b6dcb732f4d6d0e34/src/benchmark/workdir.js#L133 131 | const child = spawn(script, [], { 132 | cwd, > 133 | env: { ...process.env, WORKDIR: cwd, PORT: String(port) }, 134 | detached: true, 135 | stdio: ["ignore", "pipe", "pipe"],
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.