commander
the complete solution for node.js command-line programs
4
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
shadowspawnabetomo
Keywords
commandercommandoptionparsercliargumentargsargv
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition from 2014; zhiyelee is a long-standing trusted publisher with 27 approved packages. | ai | |
| provenance | missing-githead | AI (provenance): Old publish from 2014 era; npm metadata conventions differed. Not a risk signal for commander. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Commander is a CLI framework that legitimately uses child_process to spawn sub-commands. This is a core, documented feature stable across all versions. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): spawn() calls are used to launch user-defined CLI sub-commands — fundamental to commander's purpose. No malicious use; stable across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 370M weekly downloads and 5000+ day history. Lack of Sigstore provenance is not a meaningful risk signal here. | ai |
Versions (showing 4 of 104)
| Version | Deps | Published |
|---|---|---|
| 0.0.4 | 0 / 1 | |
| 0.0.3 | 0 / 1 | |
| 0.0.1 | 0 / 1 | |
| 15.0.0-0 | 0 / 9 |
v15.0.0-0
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: abetomo → shadowspawn (on 2026-02-21)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-21. This could indicate a legitimate maintainer transition or an account compromise.