@mintlify/cli
The Mintlify CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Chalk is used indirectly through the CLI's output formatting; phantom dependency pattern is normal for CLI tools. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Semver is used indirectly through dependency resolution; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:front-matter | AI (phantom-deps): Front-matter is used indirectly for configuration parsing; expected for documentation CLI. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): References are in test files validating that path traversal to /etc/passwd is correctly rejected. Security test, not credential harvesting. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard CLI pattern: spreading process.env into child process spawn to pass environment through. Not exfiltration. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @mintlify/cli from established Mintlify org is not a typosquat of 'joi'. False positive from short name Levenshtein match. | ai |
Versions (showing 100 of 677)
| Version | Deps | Published |
|---|---|---|
| 4.0.1191 | 25 / 17 | |
| 4.0.1190 | 25 / 17 | |
| 4.0.1189 | 25 / 17 | |
| 4.0.1188 | 25 / 17 | |
| 4.0.1187 | 25 / 17 | |
| 4.0.1186 | 25 / 17 | |
| 4.0.1185 | 25 / 17 | |
| 4.0.1184 | 25 / 17 | |
| 4.0.1183 | 25 / 17 | |
| 4.0.1182 | 25 / 17 | |
| 4.0.1181 | 25 / 17 | |
| 4.0.1180 | 25 / 17 | |
| 4.0.1179 | 25 / 19 | |
| 4.0.1178 | 25 / 19 | |
| 4.0.1177 | 25 / 19 | |
| 4.0.1176 | 25 / 19 | |
| 4.0.1175 | 25 / 19 | |
| 4.0.1174 | 25 / 19 | |
| 4.0.1173 | 25 / 19 | |
| 4.0.1172 | 25 / 19 | |
| 4.0.1171 | 25 / 19 | |
| 4.0.1170 | 25 / 19 | |
| 4.0.1169 | 25 / 19 | |
| 4.0.1168 | 25 / 19 | |
| 4.0.1167 | 25 / 19 | |
| 4.0.1166 | 25 / 19 | |
| 4.0.1165 | 25 / 19 | |
| 4.0.1164 | 25 / 19 | |
| 4.0.1163 | 25 / 19 | |
| 4.0.1162 | 25 / 19 | |
| 4.0.1161 | 25 / 19 | |
| 4.0.1160 | 25 / 19 | |
| 4.0.1159 | 25 / 19 | |
| 4.0.1158 | 25 / 19 | |
| 4.0.1157 | 25 / 19 | |
| 4.0.1156 | 25 / 19 | |
| 4.0.1155 | 25 / 19 | |
| 4.0.1154 | 25 / 19 | |
| 4.0.1153 | 25 / 19 | |
| 4.0.1152 | 25 / 19 | |
| 4.0.1151 | 25 / 19 | |
| 4.0.1150 | 25 / 19 | |
| 4.0.1149 | 25 / 19 | |
| 4.0.1148 | 25 / 19 | |
| 4.0.1147 | 25 / 19 | |
| 4.0.1146 | 25 / 19 | |
| 4.0.1145 | 25 / 19 | |
| 4.0.1144 | 25 / 19 | |
| 4.0.1143 | 25 / 19 | |
| 4.0.1142 | 25 / 19 | |
| 4.0.1141 | 24 / 19 | |
| 4.0.1140 | 24 / 19 | |
| 4.0.1139 | 24 / 19 | |
| 4.0.1138 | 24 / 19 | |
| 4.0.1137 | 24 / 19 | |
| 4.0.1136 | 24 / 19 | |
| 4.0.1135 | 24 / 19 | |
| 4.0.1134 | 24 / 19 | |
| 4.0.1133 | 24 / 19 | |
| 4.0.1132 | 24 / 19 | |
| 4.0.1131 | 24 / 19 | |
| 4.0.1130 | 24 / 19 | |
| 4.0.1129 | 24 / 19 | |
| 4.0.1128 | 24 / 19 | |
| 4.0.1127 | 24 / 19 | |
| 4.0.1126 | 24 / 19 | |
| 4.0.1125 | 24 / 19 | |
| 4.0.1124 | 24 / 19 | |
| 4.0.1123 | 24 / 19 | |
| 4.0.1122 | 24 / 19 | |
| 4.0.1121 | 24 / 19 | |
| 4.0.1120 | 24 / 19 | |
| 4.0.1119 | 24 / 19 | |
| 4.0.1118 | 24 / 19 | |
| 4.0.1117 | 24 / 19 | |
| 4.0.1116 | 24 / 19 | |
| 4.0.1115 | 24 / 19 | |
| 4.0.1114 | 24 / 19 | |
| 4.0.1113 | 24 / 19 | |
| 4.0.1112 | 24 / 19 | |
| 4.0.1111 | 24 / 19 | |
| 4.0.1110 | 24 / 19 | |
| 4.0.1109 | 24 / 19 | |
| 4.0.1108 | 24 / 19 | |
| 4.0.1107 | 24 / 19 | |
| 4.0.1106 | 24 / 19 | |
| 4.0.1105 | 24 / 19 | |
| 4.0.1104 | 24 / 19 | |
| 4.0.1103 | 24 / 19 | |
| 4.0.1102 | 24 / 19 | |
| 4.0.1101 | 24 / 19 | |
| 4.0.1100 | 24 / 19 | |
| 4.0.1099 | 24 / 19 | |
| 4.0.1098 | 24 / 19 | |
| 4.0.1097 | 24 / 19 | |
| 4.0.1096 | 24 / 19 | |
| 4.0.1095 | 24 / 19 | |
| 4.0.1094 | 24 / 19 | |
| 4.0.1093 | 24 / 19 | |
| 4.0.1092 | 24 / 19 |
v4.0.1191
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1190
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1189
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1188
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1187
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1186
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1185
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1184
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1183
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1182
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1181
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1180
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1179
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1178
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1177
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1176
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1175
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1174
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1173
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1172
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1171
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1170
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1169
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1168
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1167
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1166
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1165
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1164
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1163
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1162
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1161
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1160
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1159
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1158
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1157
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1156
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1155
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1154
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1153
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1152
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1151
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1150
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1149
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1148
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1147
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1146
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1145
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1144
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1143
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1142
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1141
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1140
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1139
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1138
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1137
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1136
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1135
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1134
6 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/mintlify/mint/blob/b75a34c35cbde8a316a9480b326a57414ec075f2/__test__/pathValidation.test.ts#L8 6 | describe('path traversal prevention', () => { 7 | it('rejects path traversal with ../', async () => { > 8 | await expect(readLocalOpenApiFile('../etc/passwd')).rejects.toThrow( 9 | 'path: ../etc/passwd is outside the current directory' 10 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/mintlify/mint/blob/b75a34c35cbde8a316a9480b326a57414ec075f2/__test__/pathValidation.test.ts#L9 7 | it('rejects path traversal with ../', async () => { 8 | await expect(readLocalOpenApiFile('../etc/passwd')).rejects.toThrow( > 9 | 'path: ../etc/passwd is outside the current directory' 10 | ); 11 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/mintlify/mint/blob/b75a34c35cbde8a316a9480b326a57414ec075f2/__test__/pathValidation.test.ts#L14 12 | 13 | it('rejects absolute paths', async () => { > 14 | await expect(readLocalOpenApiFile('/etc/passwd')).rejects.toThrow( 15 | 'path: /etc/passwd is outside the current directory' 16 | );
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/mintlify/mint/blob/b75a34c35cbde8a316a9480b326a57414ec075f2/__test__/pathValidation.test.ts#L15 13 | it('rejects absolute paths', async () => { 14 | await expect(readLocalOpenApiFile('/etc/passwd')).rejects.toThrow( > 15 | 'path: /etc/passwd is outside the current directory' 16 | ); 17 | });
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mintlify/mint/blob/b75a34c35cbde8a316a9480b326a57414ec075f2/src/index.ts#L76 74 | cli = spawn('node', ['--no-deprecation', path.join(__dirname, '../bin/start.js'), ...userArgs], { 75 | stdio: 'inherit', > 76 | env: { 77 | ...process.env, 78 | MINTLIFY_PACKAGE_NAME: packageName,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1133
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1132
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1131
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1130
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1129
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1128
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1125
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1124
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1123
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1122
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1121
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1120
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1119
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1117
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1116
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1115
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1113
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1111
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1103
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1099
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1098
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1097
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1096
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1095
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1094
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1093
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1092
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.