@ossy/app
Server-side rendering runtime and build tooling for Ossy apps.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:rollup-plugin-peer-deps-external | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-node-externals | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-inject | AI (phantom-deps): Rollup plugin loaded by convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-copy | AI (phantom-deps): Rollup config-file usage pattern; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-preserve-directives | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-postcss-modules | AI (phantom-deps): Referenced in rollup config files; standard build-tool pattern. | ai | |
| phantom-deps | phantom-dep:@ossy/connected-components | AI (phantom-deps): Same-org scoped packages used as peer/framework deps; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:terser | AI (phantom-deps): Build tool dep loaded via config; stable false positive. | ai | |
| phantom-deps | phantom-dep:cookie-parser | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ossy/sdk | AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. | ai | |
| phantom-deps | phantom-dep:@ossy/router | AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. | ai | |
| phantom-deps | phantom-dep:morgan | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-delete | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-typescript | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-dts | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@ossy/design-system | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/eslint-parser | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-alias | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): Build framework package; plugins/presets declared for downstream consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Build framework package; declared for downstream consumer use. | ai | |
| phantom-deps | phantom-dep:@ossy/pages | AI (phantom-deps): Same-org package bundled as runtime dep for consumers. | ai | |
| phantom-deps | phantom-dep:@ossy/themes | AI (phantom-deps): Same-org package bundled as runtime dep for consumers. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@babel/register | AI (phantom-deps): Framework-scoped; loaded by convention not direct import. | ai | |
| phantom-deps | phantom-dep:@ossy/sdk-react | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@ossy/router-react | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a dev CLI tool spawning a child process; standard pattern for dev servers passing environment through. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of ajv. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of yup. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of pg. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of hapi. | ai |
Versions (showing 51 of 109)
| Version | Deps | Published |
|---|---|---|
| 1.35.0 | 37 / 3 | |
| 1.26.1 | 38 / 3 | |
| 1.21.2 | 38 / 3 | |
| 1.21.1 | 38 / 3 | |
| 1.21.0 | 38 / 3 | |
| 1.17.12 | 38 / 3 | |
| 1.16.11 | 38 / 3 | |
| 1.16.5 | 38 / 3 | |
| 1.16.3 | 38 / 3 | |
| 1.16.0 | 38 / 3 | |
| 1.11.7 | 37 / 3 | |
| 1.11.1 | 37 / 3 | |
| 1.11.0 | 37 / 3 | |
| 1.0.6 | 0 / 3 | |
| 1.0.5 | 0 / 3 | |
| 1.0.4 | 0 / 3 | |
| 1.0.3 | 0 / 3 | |
| 1.0.2 | 0 / 3 | |
| 1.0.1 | 0 / 3 | |
| 0.15.13 | 0 / 3 | |
| 0.15.12 | 0 / 3 | |
| 0.15.11 | 0 / 3 | |
| 0.15.10 | 0 / 3 | |
| 0.15.9 | 0 / 3 | |
| 0.15.8 | 0 / 3 | |
| 0.15.7 | 0 / 3 | |
| 0.15.6 | 0 / 3 | |
| 0.15.5 | 0 / 3 | |
| 0.15.4 | 0 / 3 | |
| 0.15.3 | 0 / 3 | |
| 0.15.1 | 0 / 3 | |
| 0.15.0 | 0 / 3 | |
| 0.14.1 | 0 / 3 | |
| 0.14.0 | 0 / 3 | |
| 0.13.4 | 0 / 3 | |
| 0.13.3 | 0 / 3 | |
| 0.13.2 | 0 / 3 | |
| 0.13.1 | 0 / 3 | |
| 0.13.0 | 0 / 3 | |
| 0.12.0 | 0 / 3 | |
| 0.11.2 | 0 / 3 | |
| 0.11.1 | 0 / 3 | |
| 0.11.0 | 0 / 3 | |
| 0.10.2 | 0 / 3 | |
| 0.10.1 | 0 / 3 | |
| 0.10.0 | 0 / 3 | |
| 0.9.1 | 0 / 0 | |
| 0.9.0 | 0 / 0 | |
| 0.8.4 | 0 / 0 | |
| 0.8.3 | 0 / 0 | |
| 0.8.2 | 0 / 0 |
v1.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.7
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.1
2 findingsSpreading entire process.env into an object — may capture all secrets 167 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 168 | stdio: 'inherit', > 169 | env: { 170 | ...process.env, 171 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.0
2 findingsSpreading entire process.env into an object — may capture all secrets 156 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 157 | stdio: 'inherit', > 158 | env: { 159 | ...process.env, 160 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
2 findingsSpreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.5
2 findingsSpreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
2 findingsSpreading entire process.env into an object — may capture all secrets 145 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 146 | stdio: 'inherit', > 147 | env: { 148 | ...process.env, 149 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
2 findingsSpreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
2 findingsSpreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
2 findingsSpreading entire process.env into an object — may capture all secrets 146 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 147 | stdio: 'inherit', > 148 | env: { 149 | ...process.env, 150 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.13
2 findingsSpreading entire process.env into an object — may capture all secrets 192 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 193 | stdio: 'inherit', > 194 | env: { 195 | ...process.env, 196 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.12
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.11
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.10
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.9
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.8
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.7
2 findingsSpreading entire process.env into an object — may capture all secrets 184 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 185 | stdio: 'inherit', > 186 | env: { 187 | ...process.env, 188 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.6
2 findingsSpreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.5
2 findingsSpreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.4
2 findingsSpreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.3
2 findingsSpreading entire process.env into an object — may capture all secrets 175 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 176 | stdio: 'inherit', > 177 | env: { 178 | ...process.env, 179 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.1
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.1
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.4
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.3
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.2
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.1
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.2
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
2 findingsSpreading entire process.env into an object — may capture all secrets 154 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 155 | stdio: 'inherit', > 156 | env: { 157 | ...process.env, 158 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
2 findingsSpreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
2 findingsSpreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.4
2 findingsSpreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.3
2 findingsSpreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
2 findingsSpreading entire process.env into an object — may capture all secrets 126 | serverProcess = spawn(process.execPath, [path.resolve(buildPath, 'server.js'), ...process.argv.slice(3)], { 127 | stdio: 'inherit', > 128 | env: { 129 | ...process.env, 130 | OSSY_DEV_RELOAD: '1',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.