clipboardy
Access the system clipboard (copy/paste)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): The bundled binaries (xsel, clipboard_i686.exe, clipboard_x86_64.exe) are documented fallback clipboard utilities that are a core part of clipboardy's design across platforms. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): process.env is spread to pass environment to a local subprocess (pbcopy/pbpaste) with LC_CTYPE override. No exfiltration; standard pattern for locale-aware child process invocation. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 5.3.1 | 6 / 2 | |
| 5.3.0 | 6 / 2 | |
| 5.2.1 | 6 / 2 | |
| 5.2.0 | 6 / 2 | |
| 5.1.0 | 5 / 2 | |
| 5.0.2 | 4 / 2 | |
| 5.0.1 | 4 / 2 | |
| 5.0.0 | 4 / 2 | |
| 4.0.0 | 3 / 3 | |
| 3.0.0 | 3 / 3 | |
| 2.3.0 | 3 / 3 | |
| 2.2.0 | 3 / 3 | |
| 2.1.0 | 2 / 3 | |
| 2.0.0 | 2 / 3 | |
| 1.2.3 | 2 / 2 | |
| 1.2.2 | 2 / 2 | |
| 1.2.1 | 1 / 2 | |
| 1.2.0 | 1 / 2 | |
| 1.1.4 | 1 / 2 | |
| 1.1.3 | 1 / 2 | |
| 1.1.2 | 1 / 2 | |
| 1.1.1 | 1 / 2 | |
| 1.1.0 | 1 / 2 | |
| 1.0.2 | 1 / 2 | |
| 1.0.1 | 1 / 2 | |
| 1.0.0 | 1 / 2 | |
| 0.1.2 | 1 / 2 | |
| 0.1.1 | 1 / 2 | |
| 0.1.0 | 1 / 2 |
v5.3.1
2 findingsPackage contains compiled binaries that could be backdoors: • fallbacks/linux/xsel • fallbacks/windows/clipboard_aarch64.exe • fallbacks/windows/clipboard_i686.exe • fallbacks/windows/clipboard_x86_64.exe
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
3 findingsPackage contains compiled binaries that could be backdoors: • fallbacks/linux/xsel • fallbacks/windows/clipboard_i686.exe • fallbacks/windows/clipboard_x86_64.exe
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/sindresorhus/clipboardy/blob/a2f843b3a04854090f5e8cbe1466cf74eeb3e31e/lib/macos.js#L4 2 | const execa = require('execa'); 3 | > 4 | const env = { 5 | ...process.env, 6 | LC_CTYPE: 'UTF-8'
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.