← Home

@boost/cli

npm Repository Homepage

An interactive command line program builder, powered by React and Ink.

49
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

milesj

Keywords

boostargsclicommandlineinterfaceprogramreactink

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-peer-dep:ink AI (dependencies): ink is the documented peer dependency for this React-based CLI framework; expected and appropriate. ai
phantom-deps phantom-dep:@types/react AI (phantom-deps): Framework-scoped type package loaded by convention in React projects; not a real phantom dependency. ai
provenance no-provenance AI (provenance): Provenance attestation is a best-practice signal, not a security blocker; package from trusted publisher. ai
publish-pattern new-deps-added AI (publish-pattern): execa and semver are established utilities; not a suspicious dependency injection pattern. ai
source-diff source-size-tripled AI (source-diff): Major version bump (v0.3.0 → v3.0.2) explains size increase; no evidence of injected code. ai
source-diff large-new-source-files AI (source-diff): 93 new files and 76KB rollup helper are normal for major version bump; no evidence of injected code. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require with @boost/theme-* namespace is a legitimate optional theme loader, not arbitrary code execution. ai
dependencies unvetted-dep:ink AI (dependencies): ink is a well-known, widely-used React-based CLI rendering library. Its use here is consistent with the package's documented purpose of building interactive CLI programs on React and Ink. ai
dependencies unvetted-dep:@boost/internal AI (dependencies): Internal @boost package from same trusted publisher; part of the boost monorepo ecosystem. ai
dependencies unvetted-dep:@boost/log AI (dependencies): First-party @boost monorepo package by the same publisher (milesj); not an external unvetted dependency. ai
dependencies unvetted-dep:@boost/translate AI (dependencies): First-party @boost monorepo package by the same publisher (milesj); not an external unvetted dependency. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped @boost namespace is part of established milesj monorepo; Levenshtein distance false positive unrelated to actual package purpose. ai
dependencies unvetted-dep:@boost/terminal AI (dependencies): Internal @boost package from same trusted publisher; part of the boost monorepo ecosystem. ai
dependencies unvetted-dep:@boost/args AI (dependencies): @boost/args is a sibling package in the boost monorepo; stable dependency for CLI argument parsing. ai
dependencies unvetted-dep:execa AI (dependencies): execa is a standard, widely-used process execution library; appropriate for CLI framework. ai

Versions (showing 49 of 49)

Version Deps Published
5.0.0 10 / 4
4.0.1 10 / 4
4.0.0 10 / 4
3.0.3 10 / 4
3.0.2 10 / 4
3.0.1 10 / 4
3.0.0 10 / 4
2.11.2 10 / 4
2.11.1 10 / 4
2.11.0 10 / 4
2.10.5 10 / 4
2.10.4 10 / 4
2.10.3 10 / 4
2.10.2 10 / 4
2.10.1 10 / 4
2.10.0 10 / 4
2.9.1 10 / 4
2.9.0 10 / 4
2.8.2 10 / 4
2.8.1 10 / 4
2.8.0 10 / 4
2.7.0 10 / 4
2.6.0 10 / 3
2.5.0 10 / 3
2.4.4 10 / 3
2.4.3 10 / 3
2.4.2 10 / 3
2.4.1 10 / 2
2.4.0 10 / 2
2.3.0 10 / 2
2.2.0 9 / 2
2.1.2 9 / 2
2.1.1 9 / 2
2.1.0 9 / 2
2.0.1 9 / 2
2.0.0 9 / 2
1.2.1 10 / 1
1.2.0 10 / 1
1.1.0 10 / 1
1.0.0 9 / 1
0.3.3 9 / 1
0.3.2 9 / 1
0.3.1 9 / 1
0.3.0 9 / 1
0.2.0 9 / 1
0.1.0 9 / 2
0.0.3 9 / 2
0.0.2 9 / 2
0.0.1 9 / 2