neon-cli
Build and load native Rust/Neon modules.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in artifacts.js loads project config files by path — expected behavior for a build tool CLI. Not an arbitrary code execution risk in this context. | ai | |
| source-diff | large-new-source-files | AI (source-diff): neon-cli is a TypeScript project that compiles to dist/; large numbers of new source files are expected when TypeScript output is included in the package. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a well-known templating library; its use in neon-cli for scaffolding new project templates is expected and legitimate. | ai | |
| dependencies | unvetted-dep:validate-npm-package-license | AI (dependencies): validate-npm-package-license is a standard utility used for validating SPDX license strings; legitimate and expected in a project scaffolding CLI. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance on npm by years; absence of attestation is expected for this legacy package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): neon-cli is a build CLI that must invoke cargo/rustc and other system processes; child_process.spawn is core functionality, not a risk. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE-* | AI (license): This is the standard license field format used by the neon-bindings project; the repo contains the actual LICENSE file. Stable across versions. | ai | |
| phantom-deps | phantom-dep:nan | AI (phantom-deps): nan is a standard native Node.js addon dependency; it appears in package.json for native build tooling purposes, not as a direct JS import. Expected for neon-cli. | ai | |
| phantom-deps | phantom-dep:node-gyp | AI (phantom-deps): node-gyp is a known implicit runtime/binary dependency for native module builds; its presence without direct JS import is expected for neon-cli. | ai | |
| phantom-deps | phantom-dep:in-publish | AI (phantom-deps): in-publish is referenced in the prepublish script (not imported in JS), which is its documented usage pattern as a publish guard. | ai | |
| bogus-package | bogus-package | AI (bogus-package): neon-cli is a well-established package (3774 days, 44 versions, 6k weekly downloads) with a proper repo and homepage. README/keywords signals are false positives. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): neon-cli is a build tool that spawns child processes (cargo, etc.) to compile Rust modules. child_process usage is fundamental to its purpose and not a security concern. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.4.1 | 14 / 8 | |
| 0.1.17 | 17 / 20 | |
| 0.1.15 | 15 / 8 | |
| 0.1.4 | 13 / 8 |
v0.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kjv.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.