alchemy — Greenflagged

[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/alchemy-run/alchemy)

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

pear-alchemyjohnroyalsam-goodwin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): CLI tool spreading process.env into child process spawn — standard pattern, not exfiltration.	ai	2026/05/23
semgrep	semgrep:base64-decode	AI (semgrep): Base64 used for AES-256 encryption/decryption of ciphertext components — legitimate cryptographic use.	ai	2026/05/23
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get inside a Proxy wrapper for Stripe client — standard JS Proxy pattern, not obfuscation.	ai	2026/05/23
phantom-deps	phantom-dep:@iarna/toml	AI (phantom-deps): Declared but not directly imported; used in config files only — stable false positive for this package.	ai	2026/05/23

Versions (showing 47 of 47)

Version	Deps	Published
0.93.9	30 / 52	2026-05-20
0.93.7	30 / 52	2026-05-04
0.93.6	30 / 52	2026-04-29
0.93.4	30 / 52	2026-04-28
0.93.2	29 / 52	2026-04-26
0.93.1	29 / 52	2026-04-26
0.93.0	29 / 52	2026-04-24
0.92.2	29 / 52	2026-04-21
0.92.1	29 / 52	2026-04-20
0.91.2	29 / 52	2026-04-10
0.17.2	1 / 31	2025-05-23
0.17.1	1 / 31	2025-05-22
0.17.0	1 / 31	2025-05-22
0.16.10	1 / 31	2025-05-22
0.16.9	1 / 31	2025-05-20
0.16.8	1 / 31	2025-05-20
0.16.7	1 / 31	2025-05-20
0.16.6	1 / 31	2025-05-19
0.16.5	1 / 31	2025-05-16
0.16.4	1 / 31	2025-05-15
0.16.3	1 / 31	2025-05-14
0.16.2	1 / 31	2025-05-14
0.16.1	1 / 31	2025-05-13
0.16.0	1 / 31	2025-05-13
0.15.14	1 / 31	2025-05-13
0.15.13	1 / 31	2025-05-13
0.15.12	1 / 31	2025-05-12
0.15.11	1 / 31	2025-05-12
0.15.10	1 / 31	2025-05-10
0.15.9	1 / 31	2025-05-09
0.15.8	1 / 31	2025-05-09
0.15.7	1 / 31	2025-05-08
0.15.6	1 / 31	2025-05-08
0.15.5	1 / 31	2025-05-08
0.15.4	1 / 31	2025-05-07
0.15.3	1 / 31	2025-05-07
0.15.2	1 / 31	2025-05-06
0.15.1	1 / 31	2025-05-06
0.15.0	1 / 31	2025-05-06
0.14.1	1 / 31	2025-05-06
0.14.0	1 / 31	2025-05-03
0.13.0	1 / 29	2025-05-02
0.12.21	1 / 29	2025-05-01
0.12.20	1 / 29	2025-05-01
0.12.19	0 / 29	2025-05-01
0.12.18	0 / 29	2025-04-30
0.12.17	0 / 29	2025-04-30

v0.93.9

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:274 semgrep

Spreading entire process.env into an object — may capture all secrets 272 | shell: true, 273 | stdio: ["inherit", "inherit", "pipe"], > 274 | env: { 275 | ...process.env, 276 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:168 semgrep

Spreading entire process.env into an object — may capture all secrets 166 | } 167 | }, > 168 | env: { 169 | ...unencryptSecrets(env ?? {}), 170 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:362 semgrep

Spreading entire process.env into an object — may capture all secrets 360 | } 361 | }, > 362 | env: { 363 | ...unencryptSecrets(env ?? {}), 364 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.7

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:274 semgrep

Spreading entire process.env into an object — may capture all secrets 272 | shell: true, 273 | stdio: ["inherit", "inherit", "pipe"], > 274 | env: { 275 | ...process.env, 276 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:168 semgrep

Spreading entire process.env into an object — may capture all secrets 166 | } 167 | }, > 168 | env: { 169 | ...unencryptSecrets(env ?? {}), 170 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:362 semgrep

Spreading entire process.env into an object — may capture all secrets 360 | } 361 | }, > 362 | env: { 363 | ...unencryptSecrets(env ?? {}), 364 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.6

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:168 semgrep

Spreading entire process.env into an object — may capture all secrets 166 | } 167 | }, > 168 | env: { 169 | ...unencryptSecrets(env ?? {}), 170 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:362 semgrep

Spreading entire process.env into an object — may capture all secrets 360 | } 361 | }, > 362 | env: { 363 | ...unencryptSecrets(env ?? {}), 364 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.4

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:168 semgrep

Spreading entire process.env into an object — may capture all secrets 166 | } 167 | }, > 168 | env: { 169 | ...unencryptSecrets(env ?? {}), 170 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:362 semgrep

Spreading entire process.env into an object — may capture all secrets 360 | } 361 | }, > 362 | env: { 363 | ...unencryptSecrets(env ?? {}), 364 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.2

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:168 semgrep

Spreading entire process.env into an object — may capture all secrets 166 | } 167 | }, > 168 | env: { 169 | ...unencryptSecrets(env ?? {}), 170 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:362 semgrep

Spreading entire process.env into an object — may capture all secrets 360 | } 361 | }, > 362 | env: { 363 | ...unencryptSecrets(env ?? {}), 364 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.1

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:63 semgrep

Spreading entire process.env into an object — may capture all secrets 61 | })(); 62 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 63 | const env = { 64 | ...process.env, 65 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:167 semgrep

Spreading entire process.env into an object — may capture all secrets 165 | } 166 | }, > 167 | env: { 168 | ...unencryptSecrets(env ?? {}), 169 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:243 semgrep

Spreading entire process.env into an object — may capture all secrets 241 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 242 | > 243 | const env = { 244 | ...process.env, 245 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:360 semgrep

Spreading entire process.env into an object — may capture all secrets 358 | } 359 | }, > 360 | env: { 361 | ...unencryptSecrets(env ?? {}), 362 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.93.0

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | })(); 61 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 62 | const env = { 63 | ...process.env, 64 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets 164 | } 165 | }, > 166 | env: { 167 | ...unencryptSecrets(env ?? {}), 168 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:238 semgrep

Spreading entire process.env into an object — may capture all secrets 236 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 237 | > 238 | const env = { 239 | ...process.env, 240 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | } 354 | }, > 355 | env: { 356 | ...unencryptSecrets(env ?? {}), 357 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.92.2

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | })(); 61 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 62 | const env = { 63 | ...process.env, 64 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets 164 | } 165 | }, > 166 | env: { 167 | ...unencryptSecrets(env ?? {}), 168 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:238 semgrep

Spreading entire process.env into an object — may capture all secrets 236 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 237 | > 238 | const env = { 239 | ...process.env, 240 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | } 354 | }, > 355 | env: { 356 | ...unencryptSecrets(env ?? {}), 357 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.92.1

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | })(); 61 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 62 | const env = { 63 | ...process.env, 64 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets 164 | } 165 | }, > 166 | env: { 167 | ...unencryptSecrets(env ?? {}), 168 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:238 semgrep

Spreading entire process.env into an object — may capture all secrets 236 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 237 | > 238 | const env = { 239 | ...process.env, 240 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | } 354 | }, > 355 | env: { 356 | ...unencryptSecrets(env ?? {}), 357 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.91.2

14 findings

HIGH env-spread: bin/services/execute-alchemy.ts:266 semgrep

Spreading entire process.env into an object — may capture all secrets 264 | shell: true, 265 | stdio: ["inherit", "inherit", "pipe"], > 266 | env: { 267 | ...process.env, 268 | FORCE_COLOR: "1",

HIGH env-spread: lib/cloudflare/bun-spa/bun-spa.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets 78 | } 79 | }, > 80 | env: { 81 | ...unencryptSecrets(env ?? {}), 82 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/cloudflare/website.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | })(); 61 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; > 62 | const env = { 63 | ...process.env, 64 | ...props.env,

HIGH env-spread: lib/cloudflare/website.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets 164 | } 165 | }, > 166 | env: { 167 | ...unencryptSecrets(env ?? {}), 168 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: lib/docker/api.js:62 semgrep

Spreading entire process.env into an object — may capture all secrets 60 | // setting the DOCKER_CONFIG env variable for the spawned process. 61 | const env = this.configDir > 62 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 63 | : process.env; 64 | // Buffers to capture output

HIGH env-spread: lib/os/exec.js:120 semgrep

Spreading entire process.env into an object — may capture all secrets 118 | const childProcess = spawn(cmd, args, { 119 | cwd: props.cwd || process.cwd(), > 120 | env: { ...process.env, ...processedEnv }, 121 | shell: true, // Use shell to handle complex commands 122 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:170 semgrep

Spreading entire process.env into an object — may capture all secrets 168 | const defaultOptions = { 169 | stdio: "inherit", > 170 | env: { 171 | ...process.env, 172 | },

HIGH env-spread: src/cloudflare/bun-spa/bun-spa.ts:133 semgrep

Spreading entire process.env into an object — may capture all secrets 131 | } 132 | }, > 133 | env: { 134 | ...unencryptSecrets(env ?? {}), 135 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/cloudflare/website.ts:238 semgrep

Spreading entire process.env into an object — may capture all secrets 236 | const secrets = props.wrangler?.secrets ?? !props.wrangler?.path; 237 | > 238 | const env = { 239 | ...process.env, 240 | ...props.env,

HIGH env-spread: src/cloudflare/website.ts:355 semgrep

Spreading entire process.env into an object — may capture all secrets 353 | } 354 | }, > 355 | env: { 356 | ...unencryptSecrets(env ?? {}), 357 | ...(typeof dev === "object" ? dev.env : {}),

HIGH env-spread: src/docker/api.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | // setting the DOCKER_CONFIG env variable for the spawned process. 183 | const env = this.configDir > 184 | ? { ...process.env, DOCKER_CONFIG: this.configDir } 185 | : process.env; 186 |

HIGH env-spread: src/os/exec.ts:231 semgrep

Spreading entire process.env into an object — may capture all secrets 229 | const childProcess = spawn(cmd, args, { 230 | cwd: props.cwd || process.cwd(), > 231 | env: { ...process.env, ...processedEnv }, 232 | shell: true, // Use shell to handle complex commands 233 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:290 semgrep

Spreading entire process.env into an object — may capture all secrets 288 | const defaultOptions: SpawnOptions = { 289 | stdio: "inherit", > 290 | env: { 291 | ...process.env, 292 | },

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.2

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.1

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.0

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.10

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.9

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.8

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.7

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.6

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.5

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.4

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.3

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.2

5 findings

HIGH env-spread: lib/os/exec.js:94 semgrep

Spreading entire process.env into an object — may capture all secrets 92 | const childProcess = spawn(cmd, args, { 93 | cwd: props.cwd || process.cwd(), > 94 | env: { ...process.env, ...props.env }, 95 | shell: true, // Use shell to handle complex commands 96 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:144 semgrep

Spreading entire process.env into an object — may capture all secrets 142 | const defaultOptions = { 143 | stdio: "inherit", > 144 | env: { 145 | ...process.env, 146 | },

HIGH env-spread: src/os/exec.ts:204 semgrep

Spreading entire process.env into an object — may capture all secrets 202 | const childProcess = spawn(cmd, args, { 203 | cwd: props.cwd || process.cwd(), > 204 | env: { ...process.env, ...props.env }, 205 | shell: true, // Use shell to handle complex commands 206 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:263 semgrep

Spreading entire process.env into an object — may capture all secrets 261 | const defaultOptions: SpawnOptions = { 262 | stdio: "inherit", > 263 | env: { 264 | ...process.env, 265 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.1

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.0

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.14

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.13

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.12

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.11

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.10

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.9

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.8

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.7

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.6

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.5

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.4

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.3

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.2

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.1

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.0

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.14.1

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.14.0

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.0

5 findings

HIGH env-spread: lib/os/exec.js:67 semgrep

Spreading entire process.env into an object — may capture all secrets 65 | const childProcess = spawn(cmd, args, { 66 | cwd: props.cwd || process.cwd(), > 67 | env: { ...process.env, ...props.env }, 68 | shell: true, // Use shell to handle complex commands 69 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: lib/os/exec.js:116 semgrep

Spreading entire process.env into an object — may capture all secrets 114 | const defaultOptions = { 115 | stdio: "inherit", > 116 | env: { 117 | ...process.env, 118 | },

HIGH env-spread: src/os/exec.ts:149 semgrep

Spreading entire process.env into an object — may capture all secrets 147 | const childProcess = spawn(cmd, args, { 148 | cwd: props.cwd || process.cwd(), > 149 | env: { ...process.env, ...props.env }, 150 | shell: true, // Use shell to handle complex commands 151 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const defaultOptions: SpawnOptions = { 206 | stdio: "inherit", > 207 | env: { 208 | ...process.env, 209 | },

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.21

3 findings

HIGH env-spread: lib/os/exec.js:68 semgrep

Spreading entire process.env into an object — may capture all secrets 66 | const childProcess = spawn(cmd, args, { 67 | cwd: props.cwd || process.cwd(), > 68 | env: { ...process.env, ...props.env }, 69 | shell: true, // Use shell to handle complex commands 70 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | const childProcess = spawn(cmd, args, { 147 | cwd: props.cwd || process.cwd(), > 148 | env: { ...process.env, ...props.env }, 149 | shell: true, // Use shell to handle complex commands 150 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.20

3 findings

HIGH env-spread: lib/os/exec.js:68 semgrep

Spreading entire process.env into an object — may capture all secrets 66 | const childProcess = spawn(cmd, args, { 67 | cwd: props.cwd || process.cwd(), > 68 | env: { ...process.env, ...props.env }, 69 | shell: true, // Use shell to handle complex commands 70 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | const childProcess = spawn(cmd, args, { 147 | cwd: props.cwd || process.cwd(), > 148 | env: { ...process.env, ...props.env }, 149 | shell: true, // Use shell to handle complex commands 150 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.19

3 findings

HIGH env-spread: lib/os/exec.js:68 semgrep

Spreading entire process.env into an object — may capture all secrets 66 | const childProcess = spawn(cmd, args, { 67 | cwd: props.cwd || process.cwd(), > 68 | env: { ...process.env, ...props.env }, 69 | shell: true, // Use shell to handle complex commands 70 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | const childProcess = spawn(cmd, args, { 147 | cwd: props.cwd || process.cwd(), > 148 | env: { ...process.env, ...props.env }, 149 | shell: true, // Use shell to handle complex commands 150 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.18

3 findings

HIGH env-spread: lib/os/exec.js:68 semgrep

Spreading entire process.env into an object — may capture all secrets 66 | const childProcess = spawn(cmd, args, { 67 | cwd: props.cwd || process.cwd(), > 68 | env: { ...process.env, ...props.env }, 69 | shell: true, // Use shell to handle complex commands 70 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | const childProcess = spawn(cmd, args, { 147 | cwd: props.cwd || process.cwd(), > 148 | env: { ...process.env, ...props.env }, 149 | shell: true, // Use shell to handle complex commands 150 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.17

3 findings

HIGH env-spread: lib/os/exec.js:68 semgrep

Spreading entire process.env into an object — may capture all secrets 66 | const childProcess = spawn(cmd, args, { 67 | cwd: props.cwd || process.cwd(), > 68 | env: { ...process.env, ...props.env }, 69 | shell: true, // Use shell to handle complex commands 70 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

HIGH env-spread: src/os/exec.ts:148 semgrep

Spreading entire process.env into an object — may capture all secrets 146 | const childProcess = spawn(cmd, args, { 147 | cwd: props.cwd || process.cwd(), > 148 | env: { ...process.env, ...props.env }, 149 | shell: true, // Use shell to handle complex commands 150 | stdio: inheritStdio ? "inherit" : "pipe", // Inherit stdio when requested

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.