@webflow/webflow-cli — Greenflagged

The Webflow CLI is a command-line interface that allows you to interact with various Webflow developer products, including Devlink and Designer Extensions.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

callmevladwebflow-botfederico.fioriniiammerrick-wfalbert.changwf-guillermozmcnellis_webflow

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-dropped	AI (source-diff): Size drop consistent with moving from bundled to unbundled dist; not indicative of malicious stub replacement for this package.	ai	2026/06/13
maintainer-change	maintainer-removed	AI (maintainer-change): Webflow's official CLI managed by webflow-bot; team roster changes are expected for this org-owned package.	ai	2026/06/12
publish-pattern	dormant-publish	AI (publish-pattern): Official Webflow-scoped CLI with 128 versions and 77.8k downloads; gap explained by major feature work.	ai	2026/05/23
publish-pattern	new-deps-added	AI (publish-pattern): jsdom is a well-established package; addition is consistent with CLI HTML-processing use cases.	ai	2026/04/29
phantom-deps	phantom-dep:inquirer	AI (phantom-deps): inquirer is declared and used indirectly via config parsing; expected for CLI tools with interactive prompts.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard practice; absence is not a security concern for this mature package.	ai	2026/04/26
dependencies	unvetted-dep:webflow-api	AI (dependencies): webflow-api is Webflow's own official SDK; its use in the Webflow CLI is expected and first-party. Not a security concern.	ai	2026/04/26
phantom-deps	phantom-dep:jsonc-parser	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
bogus-package	bogus-package	AI (bogus-package): Established @webflow scoped package with 42k weekly downloads and 113 versions. Heuristics are false positives for this org's CLI tool.	ai	2026/04/26
phantom-deps	phantom-dep:filenamify	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:env-paths	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:css-tree	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:zod	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:ora	AI (phantom-deps): Bundled CLI tool; deps referenced in build/config files rather than directly imported. Stable false positive for this package.	ai	2026/04/26

Versions (showing 25 of 25)

Version	Deps	Published
2.0.0	46 / 23	2026-05-29
1.20.0	48 / 25	2026-04-29
1.15.1	47 / 25	2026-04-22
1.15.0	47 / 25	2026-04-21
1.14.0	47 / 25	2026-04-17
1.13.1	47 / 25	2026-04-08
1.12.6	45 / 25	2026-03-13
1.12.4	45 / 25	2026-03-05
1.12.3	45 / 25	2026-03-03
1.12.0	45 / 25	2026-02-05
1.9.0	45 / 25	2025-12-15
1.8.51	45 / 25	2025-12-05
1.8.49	45 / 25	2025-11-07
1.8.48	45 / 26	2025-10-28
1.8.47	45 / 26	2025-10-27
1.8.39	43 / 26	2025-09-04
1.8.32	42 / 25	2025-08-11
1.8.9	32 / 24	2025-06-19
1.8.1	28 / 21	2025-05-23
1.8.0	28 / 21	2025-05-23
1.7.4	10 / 12	2025-05-22
1.7.3	2 / 12	2025-05-22
1.7.2	1 / 12	2025-05-22
1.7.1	1 / 12	2025-05-05
1.7.0	1 / 12	2025-05-05

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.