@nocobase/cli — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

chenosjiannlu

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): Major CLI rewrite from commander to oclif; new files reflect legitimate architectural expansion.	ai	2026/06/11
phantom-deps	phantom-dep:@inquirer/type	AI (phantom-deps): Type-only package used for TypeScript type declarations; not directly imported at runtime.	ai	2026/06/11
phantom-deps	phantom-dep:openapi-types	AI (phantom-deps): Type-only dependency used in config/type declarations; not directly imported at runtime.	ai	2026/06/11
source-diff	source-size-tripled	AI (source-diff): Size increase explained by oclif migration, bundled DB drivers, and interactive prompt libraries.	ai	2026/06/11
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package CLI tool; documentation lives in the main project repo. README signals are expected for this package structure.	ai	2026/04/26
dependencies	unvetted-dep:pm2	AI (dependencies): pm2 is a well-known, widely-used Node.js process manager. Legitimate dependency for a CLI tool.	ai	2026/04/26
dependencies	unvetted-dep:@umijs/utils	AI (dependencies): @umijs/utils is part of the established UmiJS ecosystem, used here for dev tooling.	ai	2026/04/26
dependencies	unvetted-dep:@nocobase/license-kit	AI (dependencies): First-party NocoBase license management package, consistent with the project's own ecosystem.	ai	2026/04/26
semgrep	semgrep:new-function-constructor	AI (semgrep): Used to parse npm CLI stdout (JS array literal) for version listing — input is controlled, not user-supplied. Stable pattern for this package.	ai	2026/04/26
typosquat	typosquat.levenshtein:joi	AI (typosquat): @nocobase/cli is a scoped package for the NocoBase platform, not a typosquat of joi. Levenshtein comparison is a false positive on scoped package names.	ai	2026/04/25
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads cronstrue locale files; input is constrained by a known langs map, not arbitrary user input.	ai	2026/04/25
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IP 127.0.0.1 is localhost used as a local dev proxy fallback. Completely benign for a development CLI tool.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): Spreading process.env into subprocess env is standard CLI dev tool behavior for forwarding shell environment to child processes. Not credential exfiltration.	ai	2026/04/25
phantom-deps	phantom-dep:tsx	AI (phantom-deps): tsx is a TypeScript runner invoked by the CLI as a subprocess, not imported directly. Expected pattern.	ai	2026/04/25
phantom-deps	phantom-dep:@types/fs-extra	AI (phantom-deps): @types packages are type definitions used at compile time, not imported at runtime. Standard pattern.	ai	2026/04/25
phantom-deps	phantom-dep:pm2	AI (phantom-deps): pm2 is used as a process manager at runtime by the CLI; phantom-dep detection is a false positive for this usage pattern.	ai	2026/04/25