@redocly/cli
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): Used in OAuth device flow to open browser; not arbitrary command execution from user input. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads own package.json via __dirname for node version assertion; not user-controlled input. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is used for build-docs HTML templating; legitimate, long-standing use in this CLI. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): chokidar is a declared runtime dep used by the CLI's file-watching feature; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:form-data | AI (phantom-deps): form-data is a declared runtime dep for HTTP multipart uploads; phantom-dep heuristic is a false positive. | ai | |
| phantom-deps | phantom-dep:abort-controller | AI (phantom-deps): abort-controller is a declared runtime dep for fetch cancellation; phantom-dep heuristic is a false positive. | ai | |
| phantom-deps | phantom-dep:ajv-formats | AI (phantom-deps): ajv-formats used alongside aliased ajv; phantom-dep heuristic misfires. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is part of AES credential decryption in oauth-client.js — legitimate crypto usage, not obfuscation. | ai | |
| phantom-deps | phantom-dep:simple-websocket | AI (phantom-deps): simple-websocket used in websocket features; stable false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @redocly/cli; Levenshtein match to 'joi' is a false positive with no brand impersonation. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): ajv is declared as npm alias (@redocly/ajv) and used via config; phantom-dep heuristic misfires on aliased deps. | ai | |
| phantom-deps | phantom-dep:mobx | AI (phantom-deps): mobx is a peer/transitive dep for redoc rendering; phantom-dep heuristic fires on indirect usage. | ai | |
| phantom-deps | phantom-dep:picomatch | AI (phantom-deps): picomatch used via glob internals; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pluralize | AI (phantom-deps): pluralize used in generated code or transitive context; stable false positive. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 2.31.3 | 28 / 9 | |
| 2.31.2 | 28 / 9 | |
| 2.31.1 | 28 / 9 | |
| 2.31.0 | 28 / 9 | |
| 2.30.6 | 28 / 9 | |
| 2.30.3 | 28 / 9 | |
| 2.30.2 | 28 / 9 | |
| 2.25.3 | 29 / 9 | |
| 2.7.1 | 26 / 10 | |
| 2.7.0 | 26 / 10 | |
| 2.0.7 | 26 / 10 | |
| 2.0.5 | 26 / 10 | |
| 2.0.4 | 26 / 10 | |
| 2.0.1 | 26 / 10 | |
| 1.34.13 | 26 / 8 | |
| 1.34.10 | 26 / 8 |
v2.31.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.31.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.30.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.30.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.30.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.25.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.34.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.