@oh-my-pi/pi-utils
Shared utilities for pi packages
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is a same-org sibling package at matching version from the same trusted publisher; not a suspicious third-party addition. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into spawn options is standard for shell process managers; not exfiltration. | ai | |
| provenance | missing-githead | AI (provenance): Publisher appears to have switched to local publish workflow; no other risk signals present. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a well-known, established templating library; not a supply-chain risk for this package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is common (~88% of npm); no other risk signals present for this package. | ai |
Versions (showing 97 of 297)
| Version | Deps | Published |
|---|---|---|
| 11.8.0 | 2 / 1 | |
| 11.7.3 | 2 / 1 | |
| 11.7.2 | 2 / 1 | |
| 11.7.1 | 2 / 1 | |
| 11.7.0 | 2 / 1 | |
| 11.6.1 | 2 / 1 | |
| 11.6.0 | 2 / 1 | |
| 11.5.2 | 2 / 1 | |
| 11.5.1 | 2 / 1 | |
| 11.5.0 | 2 / 1 | |
| 11.4.1 | 2 / 1 | |
| 11.4.0 | 2 / 1 | |
| 11.3.0 | 2 / 1 | |
| 11.2.3 | 2 / 1 | |
| 11.2.2 | 2 / 1 | |
| 11.2.1 | 2 / 1 | |
| 11.2.0 | 2 / 1 | |
| 11.1.0 | 2 / 1 | |
| 11.0.3 | 2 / 1 | |
| 11.0.2 | 2 / 1 | |
| 11.0.1 | 2 / 1 | |
| 11.0.0 | 2 / 1 | |
| 10.6.2 | 2 / 1 | |
| 10.6.1 | 2 / 1 | |
| 10.6.0 | 2 / 1 | |
| 10.5.0 | 2 / 1 | |
| 10.3.2 | 2 / 1 | |
| 10.3.1 | 2 / 1 | |
| 10.3.0 | 2 / 1 | |
| 10.2.3 | 2 / 1 | |
| 10.2.2 | 2 / 1 | |
| 10.2.1 | 2 / 1 | |
| 10.2.0 | 2 / 1 | |
| 10.0.0 | 2 / 1 | |
| 9.8.0 | 2 / 1 | |
| 9.7.0 | 2 / 1 | |
| 9.6.4 | 2 / 1 | |
| 9.6.3 | 2 / 1 | |
| 9.6.1 | 2 / 1 | |
| 9.6.0 | 2 / 1 | |
| 9.4.0 | 2 / 1 | |
| 9.3.1 | 2 / 1 | |
| 9.3.0 | 2 / 1 | |
| 9.2.5 | 2 / 1 | |
| 9.2.4 | 2 / 1 | |
| 9.2.3 | 2 / 1 | |
| 9.2.2 | 2 / 1 | |
| 9.2.1 | 2 / 1 | |
| 9.2.0 | 2 / 1 | |
| 9.1.1 | 3 / 1 | |
| 9.1.0 | 3 / 1 | |
| 9.0.0 | 3 / 1 | |
| 8.13.0 | 3 / 1 | |
| 8.12.10 | 3 / 1 | |
| 8.12.9 | 3 / 1 | |
| 8.12.8 | 3 / 1 | |
| 8.12.7 | 3 / 1 | |
| 8.12.5 | 3 / 1 | |
| 8.12.4 | 3 / 1 | |
| 8.12.2 | 3 / 1 | |
| 8.12.1 | 3 / 1 | |
| 8.11.14 | 3 / 1 | |
| 8.10.13 | 3 / 1 | |
| 8.10.12 | 3 / 1 | |
| 8.10.11 | 3 / 1 | |
| 8.9.10 | 3 / 1 | |
| 8.8.8 | 3 / 1 | |
| 8.6.0 | 3 / 1 | |
| 8.5.0 | 3 / 1 | |
| 8.4.5 | 3 / 1 | |
| 8.4.3 | 3 / 1 | |
| 8.4.2 | 3 / 1 | |
| 8.4.1 | 3 / 1 | |
| 8.4.0 | 3 / 1 | |
| 8.3.0 | 3 / 1 | |
| 8.2.2 | 3 / 1 | |
| 8.2.1 | 3 / 1 | |
| 8.2.0 | 3 / 1 | |
| 8.1.0 | 3 / 1 | |
| 8.0.20 | 3 / 1 | |
| 8.0.16 | 3 / 1 | |
| 8.0.15 | 3 / 1 | |
| 8.0.14 | 3 / 1 | |
| 8.0.12 | 3 / 1 | |
| 8.0.11 | 3 / 1 | |
| 8.0.10 | 3 / 1 | |
| 8.0.9 | 3 / 1 | |
| 8.0.0 | 3 / 1 | |
| 7.0.0 | 3 / 1 | |
| 6.9.69 | 3 / 1 | |
| 6.9.0 | 3 / 1 | |
| 6.8.5 | 3 / 1 | |
| 6.8.4 | 3 / 1 | |
| 6.8.3 | 3 / 1 | |
| 6.8.2 | 3 / 1 | |
| 6.8.1 | 3 / 1 | |
| 6.8.0 | 3 / 1 |
v11.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.5.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.5.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.3.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 34 | function buildSpawnEnv(shell: string): Record<string, string> { 35 | const noCI = $env.PI_BASH_NO_CI || $env.CLAUDE_BASH_NO_CI; > 36 | return { 37 | ...process.env, 38 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 34 | function buildSpawnEnv(shell: string): Record<string, string> { 35 | const noCI = $env.PI_BASH_NO_CI || $env.CLAUDE_BASH_NO_CI; > 36 | return { 37 | ...process.env, 38 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 34 | function buildSpawnEnv(shell: string): Record<string, string> { 35 | const noCI = $env.PI_BASH_NO_CI || $env.CLAUDE_BASH_NO_CI; > 36 | return { 37 | ...process.env, 38 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.3.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.3.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.3.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.8.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.7.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.6.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 33 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 34 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 35 | return { 36 | ...process.env, 37 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.13.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
Spreading entire process.env into an object — may capture all secrets 32 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 33 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 34 | return { 35 | ...process.env, 36 | SHELL: shell,
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.12.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.11.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.12
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.10.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.9.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.8.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.69
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: can1357.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.