@swc/cli — Greenflagged

CLI for the swc project

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kdy1

Keywords

swcclibabeles6transpiletranspilercompilerjavascript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall is a simple echo announcement about the new swcx command. No code execution or network access; purely informational and safe for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@xhmikosr/bin-wrapper	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:semver	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:piscina	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:commander	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:fast-glob	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:minimatch	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:source-map	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:slash	AI (phantom-deps): CLI tool dependency used indirectly; phantom-deps false positive for this package type.	ai	2026/04/24
typosquat	typosquat.levenshtein:joi	AI (typosquat): @swc/cli is the official SWC project CLI, not a typosquat of joi. The name similarity is coincidental and the packages are entirely unrelated.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): @swc/cli is a CLI wrapper for the SWC compiler binary; child_process usage to invoke native binaries is expected and documented behavior.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is used to read the local package.json to detect @swc/core peer dependency version — a standard CLI compatibility check pattern.	ai	2026/04/23
phantom-deps	phantom-dep:@swc/counter	AI (phantom-deps): @swc/counter is a same-org utility used across the SWC ecosystem; phantom dep finding is a false positive for this package.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal coincides with transition to GitHub Actions publishing with SLSA attestation; consistent with legitimate automation of the release process.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — this is a legitimate and encouraged move to automated CI/CD publishing under the official swc-project org.	ai	2026/04/23

Versions (showing 83 of 83)

Version	Deps	Published
0.8.1	9 / 12	2026-04-01
0.8.0	9 / 12	2026-02-06
0.7.10	9 / 12	2026-01-14
0.7.9	9 / 12	2025-11-05
0.7.8	9 / 12	2025-07-09
0.7.7	9 / 12	2025-05-12
0.7.5	9 / 12	2025-05-07
0.7.4	9 / 12	2025-05-06
0.7.3	9 / 12	2025-04-17
0.7.2	9 / 12	2025-04-15
0.7.1	9 / 12	2025-04-15
0.6.0	9 / 12	2025-01-09
0.5.2	9 / 12	2024-12-02
0.5.1	9 / 12	2024-11-19
0.5.0	9 / 12	2024-10-30
0.4.0	9 / 12	2024-06-29
0.3.14	9 / 12	2024-06-22
0.3.13	9 / 12	2024-06-22
0.3.12	9 / 11	2024-04-01
0.3.11	9 / 11	2024-04-01
0.3.10	9 / 11	2024-02-28
0.3.9	9 / 11	2024-02-05
0.3.6	8 / 11	2024-02-01
0.3.5	8 / 14	2024-01-28
0.3.4	8 / 14	2024-01-28
0.3.2	8 / 14	2024-01-26
0.3.1	8 / 14	2024-01-26
0.3.0	8 / 14	2024-01-24
0.2.3	8 / 14	2024-01-24
0.2.2	8 / 14	2024-01-24
0.2.1	8 / 14	2024-01-24
0.2.0	8 / 14	2024-01-24
0.1.65	7 / 14	2024-01-22
0.1.64	7 / 14	2024-01-21
0.1.63	6 / 14	2023-11-16
0.1.62	6 / 14	2023-02-15
0.1.61	6 / 14	2023-02-02
0.1.60	6 / 14	2023-01-31
0.1.59	6 / 14	2022-12-26
0.1.58	6 / 14	2022-12-25
0.1.57	4 / 13	2022-03-28
0.1.56	4 / 13	2022-03-21
0.1.55	4 / 13	2021-12-14
0.1.54	5 / 14	2021-12-13
0.1.53	5 / 11	2021-12-10
0.1.52	4 / 10	2021-11-24
0.1.51	4 / 10	2021-09-28
0.1.50	4 / 10	2021-09-18
0.1.49	4 / 10	2021-08-17
0.1.48	4 / 10	2021-08-17
0.1.46	4 / 8	2021-06-09
0.1.45	6 / 10	2021-05-28
0.1.44	6 / 9	2021-05-28
0.1.42	6 / 9	2021-05-23
0.1.41	6 / 8	2021-05-22
0.1.40	6 / 8	2021-05-12
0.1.39	6 / 8	2021-04-19
0.1.38	6 / 8	2021-04-19
0.1.37	6 / 8	2021-04-19
0.1.36	6 / 8	2021-03-26
0.1.35	6 / 8	2021-02-25
0.1.34	12 / 13	2021-01-25
0.1.33	12 / 13	2021-01-24
0.1.32	12 / 13	2021-01-18
0.1.31	12 / 13	2021-01-18
0.1.30	12 / 13	2021-01-18
0.1.29	12 / 13	2021-01-18
0.1.28	12 / 13	2021-01-17
0.1.27	12 / 13	2020-09-21
0.1.26	12 / 13	2020-06-18
0.1.24	10 / 10	2020-03-31
0.1.23	10 / 10	2020-02-13
0.1.22	10 / 10	2020-01-22
0.1.21	10 / 10	2019-12-23
0.1.20	10 / 10	2019-12-22
0.1.19	10 / 10	2019-12-22
0.1.18	10 / 10	2019-03-17
0.1.16	10 / 10	2019-03-01
0.1.15	10 / 10	2019-02-26
0.1.14	10 / 10	2019-02-21
0.1.13	10 / 10	2019-02-20
0.1.12	10 / 10	2019-02-15
0.1.10	10 / 10	2019-02-15

v0.8.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.0

2 findings

HIGH Publisher changed: kdy1 → GitHub Actions (on 2026-02-06) provenance

This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.10

2 findings

HIGH Publisher changed: kdy1 → GitHub Actions (on 2026-01-14) provenance

This version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.9

2 findings

HIGH Publisher changed: kdy1 → GitHub Actions (on 2025-11-05) provenance

This version was published by a different npm account than previous versions on 2025-11-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.