@skuba-lib/api — Greenflagged

Node.js development API for skuba

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

seek-oss-ci

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:new-function-constructor	AI (semgrep): Used as a runtime capability probe (new Function("")) to detect restricted environments like Cloudflare Workers — a well-known benign pattern, not dynamic code execution of untrusted input.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): Sub-package of seek-oss/skuba monorepo; sparse README and no keywords are expected for internal/sub-packages of established projects.	ai	2026/04/27
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package under @skuba-lib; no relation to 'joi'. Mechanical false positive.	ai	2026/04/25
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped package under @skuba-lib; no relation to 'ajv'. Mechanical false positive.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): env-spread occurs in bundled exec utilities (cross-spawn/execa); standard pattern for a developer tooling library managing child processes.	ai	2026/04/25
typosquat	typosquat.levenshtein:hapi	AI (typosquat): @skuba-lib/api is a scoped sub-package of seek-oss/skuba; Levenshtein match to 'hapi' is a mechanical false positive with no brand impersonation.	ai	2026/04/25
semgrep	semgrep:child-process-import	AI (semgrep): child_process usage is from bundled tree-kill/cross-spawn; expected in a developer tooling library that manages process execution.	ai	2026/04/25
semgrep	semgrep:child-process-spawn	AI (semgrep): spawn() usage is from bundled cross-spawn; standard and expected in a developer tooling library.	ai	2026/04/25
dependencies	unvetted-dep:isomorphic-git	AI (dependencies): isomorphic-git is a well-known, widely-used git library; unvetted flag is a registry gap, not a security concern for this package.	ai	2026/04/25
semgrep	semgrep:env-bulk-read	AI (semgrep): env-bulk-read is in bundled cross-spawn code finding PATH variable; expected behavior for process-spawning utilities.	ai	2026/04/25
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package under @skuba-lib; no relation to 'pg'. Mechanical false positive.	ai	2026/04/25

Versions (showing 6 of 6)

Version	Deps	Published
2.1.2	11 / 0	2026-05-13
2.1.1	7 / 0	2026-05-12
2.1.0	7 / 0	2026-05-11
2.0.2	7 / 1	2026-02-13
2.0.1	7 / 1	2026-01-21
2.0.0	6 / 1	2026-01-15

v2.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

6 findings

HIGH typosquat.levenshtein: Possible typosquat of 'hapi' typosquat

Package name '@skuba-lib/api' is 1 edit(s) away from popular package 'hapi'.

HIGH env-spread: lib/exec-Bcan8fLb.mjs:10830 semgrep

Spreading entire process.env into an object — may capture all secrets 10828 | stdio: stdioValues, 10829 | ...process.platform.startsWith("win") && { detached: false }, > 10830 | env: { 10831 | ...colorSupport ? { FORCE_COLOR: colorSupport.level.toString() } : {}, 10832 | ...process.env,

HIGH env-spread: lib/exec-Bcan8fLb.mjs:15851 semgrep

Spreading entire process.env into an object — may capture all secrets 15849 | const DEFAULT_MAX_BUFFER = 1e3 * 1e3 * 100; 15850 | const getEnv = ({ env: envOption, extendEnv, preferLocal, localDir, execPath }) => { > 15851 | const env = extendEnv ? { 15852 | ...process.env, 15853 | ...envOption

HIGH env-spread: lib/exec-CVlcoV9u.cjs:10831 semgrep

Spreading entire process.env into an object — may capture all secrets 10829 | stdio: stdioValues, 10830 | ...process.platform.startsWith("win") && { detached: false }, > 10831 | env: { 10832 | ...colorSupport ? { FORCE_COLOR: colorSupport.level.toString() } : {}, 10833 | ...process.env,

HIGH env-spread: lib/exec-CVlcoV9u.cjs:15852 semgrep

Spreading entire process.env into an object — may capture all secrets 15850 | const DEFAULT_MAX_BUFFER = 1e3 * 1e3 * 100; 15851 | const getEnv = ({ env: envOption, extendEnv, preferLocal, localDir, execPath }) => { > 15852 | const env = extendEnv ? { 15853 | ...process.env, 15854 | ...envOption

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.