grunt-cli
The grunt command line interface
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:sleekcode.net | AI (email-domain): Theoretical domain-takeover risk on a legacy maintainer email; no code-level threat in this well-established package. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): cowboy→tkellen is a well-documented Grunt core team transfer from 2014; both are long-standing trusted maintainers. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): tkellen is a known Grunt core team member added in a legitimate 2014 maintainer transition. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): resolve is used at runtime for grunt module resolution; not a phantom dependency. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): cowboy (Ben Alman) handed off grunt-cli maintenance to tkellen (Tyler Kellen) in 2014; legitimate transfer. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): glob is a legitimate declared dependency used indirectly by grunt-cli; phantom-dep pattern is expected for CLI tools. | ai | |
| phantom-deps | phantom-dep:findup-sync | AI (phantom-deps): findup-sync is a legitimate declared dependency used indirectly; phantom-dep pattern is expected for CLI tools. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is a legitimate declared dependency used indirectly; phantom-dep pattern is expected for CLI tools. | ai | |
| phantom-deps | phantom-dep:grunt | AI (phantom-deps): grunt is the core dependency for this CLI wrapper; phantom-dep pattern is expected for CLI tools. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; no CI provenance expected for this era of publishing. | ai | |
| provenance | publisher-changed | AI (provenance): shama is a known gruntjs team member; this is a legitimate maintainer transition within the project. | ai | |
| dependencies | unvetted-dep:v8flags | AI (dependencies): v8flags is a well-known, long-standing utility for enumerating V8 flags, commonly used in the grunt/gulp ecosystem. Not a meaningful risk for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): liftoff, interpret, and v8flags are canonical CLI launcher dependencies; their addition reflects a standard architectural refactor, not a supply-chain attack vector. | ai | |
| phantom-deps | phantom-dep:liftoff | AI (phantom-deps): grunt-cli passes liftoff and related deps through its loader architecture rather than directly importing them; this is the expected usage pattern for this package. | ai | |
| phantom-deps | phantom-dep:v8flags | AI (phantom-deps): v8flags is a legitimate declared dependency of grunt-cli; phantom detection reflects indirect usage in CLI bin/lib, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): nopt is a legitimate declared dependency of grunt-cli; phantom detection reflects indirect usage in CLI bin/lib, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:liftup | AI (phantom-deps): liftup is a legitimate declared dependency of grunt-cli; phantom detection reflects indirect usage in CLI bin/lib, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:grunt-known-options | AI (phantom-deps): grunt-known-options is a legitimate declared dependency of grunt-cli; phantom detection reflects indirect usage in CLI bin/lib, not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:interpret | AI (phantom-deps): interpret is a legitimate declared dependency of grunt-cli; phantom detection reflects indirect usage in CLI bin/lib, not a real phantom dep. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 1.5.0 | 5 / 2 | |
| 1.4.3 | 5 / 2 | |
| 1.4.2 | 5 / 2 | |
| 1.4.1 | 5 / 2 | |
| 1.4.0 | 5 / 2 | |
| 1.3.2 | 5 / 2 | |
| 1.3.1 | 5 / 2 | |
| 1.3.0 | 5 / 2 | |
| 1.2.0 | 4 / 2 | |
| 1.1.0 | 3 / 2 | |
| 1.0.1 | 3 / 2 | |
| 1.0.0 | 3 / 2 | |
| 0.1.13 | 3 / 2 | |
| 0.1.12 | 3 / 2 | |
| 0.1.11 | 3 / 2 | |
| 0.1.10 | 3 / 2 | |
| 0.1.9 | 3 / 2 | |
| 0.1.8 | 3 / 2 | |
| 0.1.7 | 3 / 2 | |
| 0.1.6 | 2 / 2 | |
| 0.1.5 | 2 / 2 | |
| 0.1.4 | 2 / 0 | |
| 0.1.3 | 2 / 0 | |
| 0.1.2 | 3 / 0 | |
| 0.1.1 | 4 / 0 | |
| 0.1.0 | 4 / 0 |
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
2 findingsMaintainer email '[email protected]' uses domain 'sleekcode.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findingsMaintainer email '[email protected]' uses domain 'sleekcode.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
2 findingsThis version was published by a different npm account than previous versions on 2018-08-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
2 findingsMaintainer email '[email protected]' uses domain 'sleekcode.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-03-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.13
3 findingsAll previous maintainers (cowboy) were replaced by new maintainers (tkellen). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-01-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-03-31. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.