@oclif/plugin-plugins
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 330 versions published by Salesforce's official account; the dormancy signal appears to be a miscalculation for this actively maintained package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn is used to run a local rm.js cleanup script for node_modules.old during plugin updates — a documented oclif pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same detached spawn instance as silent-process-exec; path is derived from import.meta.url (local), not remote input. Legitimate cleanup pattern. | ai | |
| dependencies | unvetted-dep:yarn | AI (dependencies): yarn is a well-known package manager; its inclusion as a runtime dep is expected for an oclif plugin-management plugin. | ai | |
| phantom-deps | phantom-dep:npm | AI (phantom-deps): npm is a legitimate runtime dependency for a plugin manager; it is invoked as a CLI tool rather than imported as a module, causing the phantom-dep false positive. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 5.4.72 | 11 / 28 | |
| 5.4.71 | 11 / 28 | |
| 5.4.70 | 11 / 28 | |
| 5.4.69 | 11 / 28 | |
| 5.4.68 | 11 / 28 | |
| 5.4.67 | 11 / 28 | |
| 5.4.66 | 11 / 28 | |
| 5.4.65 | 11 / 28 | |
| 5.4.64 | 11 / 28 | |
| 5.4.63 | 11 / 28 | |
| 5.4.62 | 11 / 28 | |
| 5.4.61 | 11 / 28 | |
| 5.4.60 | 11 / 28 | |
| 5.4.59 | 11 / 28 | |
| 5.4.58 | 11 / 28 | |
| 5.4.57 | 11 / 28 | |
| 5.4.56 | 11 / 28 | |
| 5.4.55 | 11 / 28 | |
| 5.4.54 | 11 / 28 | |
| 5.4.53 | 11 / 28 | |
| 5.4.52 | 11 / 28 | |
| 5.4.51 | 11 / 28 | |
| 5.4.50 | 11 / 28 | |
| 5.4.49 | 11 / 28 | |
| 5.4.48 | 11 / 28 | |
| 5.4.47 | 11 / 28 | |
| 5.4.46 | 11 / 28 | |
| 5.4.45 | 11 / 28 | |
| 5.4.44 | 11 / 28 | |
| 5.4.43 | 11 / 28 | |
| 5.4.42 | 11 / 28 | |
| 5.4.41 | 11 / 28 | |
| 5.4.40 | 11 / 28 | |
| 5.4.39 | 11 / 28 | |
| 5.4.38 | 11 / 28 | |
| 5.4.37 | 11 / 28 |
v5.4.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.62
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/oclif/plugin-plugins/blob/06a5ba0b7ffba1946fcf9b0fc6133e1a01d825dc/lib/plugins.js#L360 358 | const rmScript = join(dirname(fileURLToPath(import.meta.url)), 'rm.js'); 359 | this.debug(`spawning ${rmScript} to remove node_modules.old`); > 360 | spawn(process.argv[0], [rmScript, join(this.config.dataDir, 'node_modules.old')], { 361 | detached: true, 362 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/oclif/plugin-plugins/blob/06a5ba0b7ffba1946fcf9b0fc6133e1a01d825dc/lib/plugins.js#L360 358 | const rmScript = join(dirname(fileURLToPath(import.meta.url)), 'rm.js'); 359 | this.debug(`spawning ${rmScript} to remove node_modules.old`); > 360 | spawn(process.argv[0], [rmScript, join(this.config.dataDir, 'node_modules.old')], { 361 | detached: true, 362 | stdio: 'ignore',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.59
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/oclif/plugin-plugins/blob/651f8a41bd081f3eb446e447c4f5e2dd9b699b55/lib/plugins.js#L357 355 | const rmScript = join(dirname(fileURLToPath(import.meta.url)), 'rm.js'); 356 | this.debug(`spawning ${rmScript} to remove node_modules.old`); > 357 | spawn(process.argv[0], [rmScript, join(this.config.dataDir, 'node_modules.old')], { 358 | detached: true, 359 | stdio: 'ignore',
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/oclif/plugin-plugins/blob/651f8a41bd081f3eb446e447c4f5e2dd9b699b55/lib/plugins.js#L357 355 | const rmScript = join(dirname(fileURLToPath(import.meta.url)), 'rm.js'); 356 | this.debug(`spawning ${rmScript} to remove node_modules.old`); > 357 | spawn(process.argv[0], [rmScript, join(this.config.dataDir, 'node_modules.old')], { 358 | detached: true, 359 | stdio: 'ignore',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.