@oclif/core — Greenflagged

base library for oclif CLIs

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mdonnalleysalesforce-releases

Keywords

oclifclicommandcommand lineparserargsargv

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Salesforce-maintained package with 454 versions and strong track record; periodic dormancy between releases is normal for stable CLI framework libraries.	ai	2026/04/23
semgrep	semgrep:toplevel-fetch	AI (semgrep): Top-level fetch in CLI config initialization is a legitimate pattern; no evidence of exfiltration.	ai	2026/04/23
phantom-deps	phantom-dep:@types/cli-progress	AI (phantom-deps): TypeScript type definitions loaded by convention; expected for @types/* packages in CLI frameworks.	ai	2026/04/23
dependencies	unvetted-dep:@types/cli-progress	AI (dependencies): Type definitions for established cli-progress package; legitimate dev-time dependency.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): 76 new files expected for major version rewrite of oclif framework; legitimate TypeScript source expansion.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): minimatch@^9.0.3 is an established, widely-trusted glob pattern library; legitimate addition for CLI framework.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal without new maintainers is normal in mature projects; no takeover signal.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Provenance absence is a best-practice gap, not a security issue for this established package.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): The new Function() call is a documented CJS/ESM interop workaround for dynamic import() in TypeScript-compiled code. Input is a resolved module path, not arbitrary user input. Stable pattern for this package.	ai	2026/04/23
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is explicitly declared as a runtime dependency in package.json. This is a false positive; tslib is a standard TypeScript runtime helper used by this package.	ai	2026/04/23
dependencies	unvetted-dep:ejs	AI (dependencies): ejs is a standard, legitimate templating library; appropriate dependency for CLI framework.	ai	2026/04/21
dependencies	unvetted-dep:ansi-escapes	AI (dependencies): ansi-escapes is a legitimate, widely-used terminal utility; stable dependency for this CLI framework.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped @oclif package; Levenshtein match to 'cors' is coincidental, not typosquatting.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require of ts-node is a standard pattern in CLI frameworks for optional TypeScript support; constrained to known module, not arbitrary code execution.	ai	2026/04/21