listr
Terminal task list
5
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
samverschueren
Keywords
clitasklisttasklistterminaltermconsoleasciiunicodeloadingindicatorprogressbusywaitidle
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (is-stream, stream-to-observable) are well-known legitimate packages consistent with the package's stream/observable feature additions. No malicious signal. | ai | |
| dependencies | unvetted-dep:rxjs | AI (dependencies): rxjs is a widely-used, well-maintained reactive programming library; a legitimate and expected dependency for listr's observable support. | ai | |
| dependencies | unvetted-dep:is-observable | AI (dependencies): is-observable is a small utility package consistent with listr's observable support; no risk indicators. | ai | |
| dependencies | unvetted-dep:listr-silent-renderer | AI (dependencies): listr-silent-renderer is a first-party renderer for listr, authored by the same maintainer; expected dependency. | ai | |
| dependencies | unvetted-dep:listr-verbose-renderer | AI (dependencies): listr-verbose-renderer is a first-party renderer for listr, authored by the same maintainer; expected dependency. | ai | |
| dependencies | unvetted-dep:@samverschueren/stream-to-observable | AI (dependencies): Scoped package by the same maintainer (samverschueren); a legitimate utility for listr's stream-to-observable conversion. | ai | |
| dependencies | unvetted-dep:listr-update-renderer | AI (dependencies): listr-update-renderer is a first-party renderer for listr, authored by the same maintainer; expected dependency. | ai | |
| dependencies | unvetted-dep:figures | AI (dependencies): figures is a well-known, widely-used npm package for terminal Unicode symbols; its use is expected and appropriate for a CLI task list library like listr. | ai | |
| provenance | no-provenance | AI (provenance): listr predates npm provenance attestation; absence is expected for a package first published ~10 years ago. | ai |