tree-sitter-cli — Greenflagged

CLI for generating fast incremental parsers

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

ahlincmaxbrunsfeldamaanqtclemqueervioletrewinfreyrobrixjoshvera

parserlexer

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:install	AI (install-scripts): tree-sitter-cli's install script fetches prebuilt binaries for the target platform — standard pattern for this native CLI tool, consistent across all versions.	ai	2026/04/25
semgrep	semgrep:child-process-import	AI (semgrep): cli.js uses child_process.spawn solely to invoke the downloaded tree-sitter binary; this is the expected and benign behavior of a CLI wrapper package.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): Mass-production signal is due to amaanq maintaining many tree-sitter grammar packages (a known ecosystem pattern); no-deps is expected for a prebuilt binary CLI tool.	ai	2026/04/25

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

2 findings

HIGH Package has 'install' script install-scripts

Script: node install.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.