cli-ux
cli IO utilities
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Mature package with strong ecosystem trust; provenance is a best-practice recommendation, not a security blocker. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within the oclif team (rasphilco → elbandito), both long-standing contributors. Change occurred in 2019. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): js-yaml and cli-progress are well-established, widely-used packages with no malicious history; additions are consistent with CLI utility feature expansion. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal maintainer transition in mature package; no new maintainers added, no takeover indicators. | ai | |
| dependencies | unvetted-dep:treeify | AI (dependencies): treeify is a small, stable tree-rendering utility; its use in cli-ux for CLI output display is expected and benign across all versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require caching is a standard pattern for lazy-loading modules; no arbitrary code execution risk. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Loaded on-demand via the lazy-require cache in deps.js; declared in package.json dependencies. Not a security concern. | ai | |
| phantom-deps | phantom-dep:ansi-escapes | AI (phantom-deps): Loaded on-demand via the lazy-require cache in deps.js; declared in package.json dependencies. Not a security concern. | ai | |
| phantom-deps | phantom-dep:password-prompt | AI (phantom-deps): Loaded on-demand via the lazy-require cache in deps.js; declared in package.json dependencies. Not a security concern. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): cli-ux is a long-established Salesforce/oclif package with 819k weekly downloads and a verified publisher track record. The dormancy likely reflects migration to @oclif/core rather than account takeover. | ai | |
| dependencies | unvetted-dep:@oclif/linewrap | AI (dependencies): @oclif/linewrap is a first-party oclif package from the same Salesforce org; no risk. | ai | |
| dependencies | unvetted-dep:natural-orderby | AI (dependencies): natural-orderby is a well-known sorting utility; appropriate for CLI table/list output. | ai | |
| dependencies | unvetted-dep:password-prompt | AI (dependencies): password-prompt is a well-known terminal prompt utility; expected in a CLI IO library. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): Declared in package.json and used transitively/in types; common pattern in TypeScript CLI packages. | ai | |
| phantom-deps | phantom-dep:clean-stack | AI (phantom-deps): Declared in package.json and used transitively/in types; common pattern in TypeScript CLI packages. | ai | |
| phantom-deps | phantom-dep:extract-stack | AI (phantom-deps): Declared in package.json and used transitively/in types; common pattern in TypeScript CLI packages. | ai | |
| phantom-deps | phantom-dep:indent-string | AI (phantom-deps): Declared in package.json and used transitively/in types; common pattern in TypeScript CLI packages. | ai | |
| dependencies | unvetted-dep:object-treeify | AI (dependencies): object-treeify is a small utility for tree-formatted output; appropriate for a CLI display library. | ai | |
| dependencies | unvetted-dep:hyperlinker | AI (dependencies): hyperlinker is a small, well-known utility for terminal hyperlinks; appropriate for a CLI library. | ai | |
| dependencies | unvetted-dep:@oclif/screen | AI (dependencies): @oclif/screen is a first-party oclif package from the same Salesforce org; no risk. | ai | |
| dependencies | unvetted-dep:extract-stack | AI (dependencies): extract-stack is a well-known error stack utility; appropriate for CLI error handling. | ai | |
| dependencies | unvetted-dep:cardinal | AI (dependencies): cardinal is a well-known syntax highlighting library; appropriate for a CLI utility package. | ai | |
| dependencies | unvetted-dep:ansi-escapes | AI (dependencies): ansi-escapes is a well-known, widely-used terminal escape code library with no security concerns. Safe dependency for a CLI utility. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): Top-level fetch() in config initialization is expected for a CLI utility library; no exfiltration pattern detected. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is documented capability for cli-ux's open() function; legitimate for CLI utilities. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 6.0.9 | 25 / 23 | |
| 6.0.8 | 25 / 23 | |
| 6.0.7 | 25 / 23 | |
| 6.0.6 | 25 / 23 | |
| 6.0.5 | 25 / 23 | |
| 6.0.4 | 25 / 23 | |
| 6.0.3 | 25 / 23 | |
| 6.0.2 | 25 / 23 | |
| 6.0.1 | 25 / 23 | |
| 6.0.0 | 25 / 23 | |
| 5.6.7 | 26 / 25 | |
| 5.6.6 | 26 / 25 | |
| 5.6.5 | 26 / 25 | |
| 5.6.4 | 26 / 25 | |
| 5.6.3 | 26 / 25 | |
| 5.6.2 | 26 / 25 | |
| 5.5.1 | 26 / 25 | |
| 5.5.0 | 26 / 25 | |
| 5.4.10 | 26 / 25 | |
| 5.4.9 | 26 / 25 | |
| 5.4.8 | 26 / 25 | |
| 5.4.7 | 26 / 25 | |
| 5.4.6 | 26 / 25 | |
| 5.4.5 | 26 / 25 | |
| 5.4.4 | 26 / 25 | |
| 5.4.3 | 26 / 25 | |
| 5.4.2 | 26 / 25 | |
| 5.4.1 | 26 / 25 | |
| 5.4.0 | 26 / 26 | |
| 5.3.3 | 24 / 26 | |
| 5.3.2 | 24 / 26 | |
| 5.3.1 | 24 / 26 | |
| 5.3.0 | 24 / 26 | |
| 5.2.2 | 24 / 26 | |
| 5.2.1 | 24 / 26 | |
| 5.2.0 | 24 / 26 | |
| 5.1.0 | 24 / 26 | |
| 5.0.0 | 24 / 26 |
v6.0.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-31. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-04. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-01-27. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-12-11. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-10-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-26. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-07-11. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-20. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-12. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.0
2 findingsThis version was published by a different npm account than previous versions on 2019-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.