@oclif/command
oclif base command
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established oclif org package; missing gitHead reflects a publish environment change, not a security concern. Stable false positive for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): oclif-bot removal is part of the same Salesforce org transition; not indicative of a hostile takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @oclif/config and @oclif/plugin-help are first-party oclif packages from the same org; natural dependencies for this base command package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are named Salesforce engineers and salesforce-releases account — consistent with Salesforce's stewardship of the oclif project. Legitimate org transition. | ai | |
| provenance | publisher-changed | AI (provenance): The dickeyxxx → oclif-bot transition occurred in Feb 2018 and represents a legitimate move to an org automation account. 100+ subsequent versions confirm this is the official publisher for the oclif org. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads the package's own package.json to check Node version — entirely benign and stable for this package. | ai | |
| typosquat | typosquat.levenshtein:commander | AI (typosquat): @oclif/command is a legitimate Salesforce/oclif framework package, not a typosquat of commander. The scoped namespace, age, and publisher track record confirm this is a false positive. | ai |
Versions (showing 51 of 106)
| Version | Deps | Published |
|---|---|---|
| 1.8.36 | 6 / 17 | |
| 1.8.35 | 6 / 17 | |
| 1.8.34 | 6 / 17 | |
| 1.8.33 | 6 / 17 | |
| 1.8.32 | 6 / 17 | |
| 1.8.31 | 6 / 17 | |
| 1.8.30 | 6 / 17 | |
| 1.8.29 | 6 / 17 | |
| 1.8.28 | 6 / 17 | |
| 1.8.27 | 6 / 17 | |
| 1.8.26 | 6 / 17 | |
| 1.8.25 | 6 / 17 | |
| 1.8.24 | 6 / 17 | |
| 1.8.23 | 6 / 17 | |
| 1.8.22 | 6 / 17 | |
| 1.8.21 | 6 / 17 | |
| 1.8.20 | 6 / 17 | |
| 1.8.19 | 6 / 17 | |
| 1.8.18 | 6 / 17 | |
| 1.8.16 | 6 / 17 | |
| 1.8.15 | 6 / 17 | |
| 1.8.14 | 6 / 17 | |
| 1.8.13 | 6 / 17 | |
| 1.8.12 | 6 / 17 | |
| 1.8.11 | 6 / 17 | |
| 1.8.10 | 6 / 17 | |
| 1.8.9 | 6 / 17 | |
| 1.8.8 | 6 / 17 | |
| 1.8.7 | 6 / 17 | |
| 1.8.6 | 6 / 17 | |
| 1.8.5 | 6 / 17 | |
| 1.8.4 | 6 / 17 | |
| 1.8.3 | 6 / 17 | |
| 1.8.2 | 6 / 17 | |
| 1.8.1 | 6 / 17 | |
| 1.8.0 | 6 / 17 | |
| 1.7.0 | 6 / 17 | |
| 1.6.1 | 6 / 17 | |
| 1.6.0 | 6 / 17 | |
| 1.5.20 | 6 / 16 | |
| 1.5.19 | 6 / 15 | |
| 1.5.18 | 6 / 15 | |
| 1.5.17 | 4 / 17 | |
| 1.5.16 | 4 / 17 | |
| 1.5.15 | 4 / 17 | |
| 1.5.14 | 4 / 17 | |
| 1.5.13 | 4 / 17 | |
| 1.5.12 | 4 / 17 | |
| 1.5.11 | 4 / 17 | |
| 1.5.10 | 4 / 17 | |
| 1.5.8 | 4 / 17 |
v1.8.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-06. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-06. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-23. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-29. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.20
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.19
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.18
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.17
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.16
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: elbandito.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.11
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: elbandito.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-27. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-11. This could indicate a legitimate maintainer transition or an account compromise.
v1.5.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-18. This could indicate a legitimate maintainer transition or an account compromise.