command-exists
check whether a command line command exists in the current environment
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): command-exists uses child_process to check for CLI command availability — this is the core, documented purpose of the package and not a security concern. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived stable utility package; dormancy is consistent with a mature, low-churn library. No material changes in this version vs prior approved release. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 1.2.9 | 0 / 3 | |
| 1.2.8 | 0 / 3 | |
| 1.2.7 | 0 / 3 | |
| 1.2.6 | 0 / 3 | |
| 1.2.5 | 0 / 3 | |
| 1.2.4 | 0 / 3 |
v1.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.