ember-cli
Command line tool for developing ambitious ember.js apps
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate automation transition. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Monorepo CI publish with SLSA provenance; dormancy reflects repo restructuring, not takeover. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used in addon proxy for transparent property forwarding; not obfuscation. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): Phantom-dep heuristic false positive for build tool with many indirect usages. | ai | |
| phantom-deps | phantom-dep:exit | AI (phantom-deps): Phantom-dep heuristic false positive; stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Plugin/addon loader pattern; stable and expected for ember-cli across versions. | ai | |
| phantom-deps | phantom-dep:@ember-tooling/classic-build-app-blueprint | AI (phantom-deps): Blueprint deps loaded dynamically by design; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@ember-tooling/classic-build-addon-blueprint | AI (phantom-deps): Blueprint deps loaded dynamically by design; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@ember-tooling/blueprint-blueprint | AI (phantom-deps): Blueprint deps loaded dynamically by design; not a real phantom dep. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Build tool legitimately invokes package managers via execSync; stable pattern. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 7.0.1 | 84 / 32 | |
| 7.0.0 | 84 / 32 | |
| 6.12.0 | 84 / 32 | |
| 6.11.2 | 85 / 32 | |
| 6.11.1 | 85 / 32 | |
| 6.11.0 | 85 / 32 | |
| 6.10.3 | 85 / 32 | |
| 6.10.2 | 85 / 32 | |
| 6.10.0 | 87 / 31 | |
| 6.9.1 | 87 / 31 | |
| 6.9.0 | 87 / 31 | |
| 6.8.1 | 87 / 31 | |
| 6.8.0 | 87 / 31 | |
| 6.7.2 | 86 / 32 | |
| 6.7.1 | 86 / 32 | |
| 6.7.0 | 86 / 32 | |
| 6.6.0 | 82 / 32 | |
| 6.5.0 | 82 / 31 | |
| 6.4.0 | 82 / 31 |
v7.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.11.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.11.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.11.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.10.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.