← Home

@ably/cli

npm Repository Homepage

Ably CLI for Pub/Sub, Chat and Spaces

5
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

mschristensenably-realtimesimonw_ablyowenpearsonttypiclawrence.forooghian.ablyandrii.bulat.ablyandytwfsplind06zariel-ablymattheworiordanvlad.velici.ably

Keywords

ablyclirealtimepubsubchatspaces

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:fast-levenshtein AI (dependencies): Well-known string distance utility; no malware signals. ai
dependencies unvetted-dep:color-json AI (dependencies): Small JSON colorizer utility; no malware signals. ai
dependencies unvetted-dep:@ably/chat AI (dependencies): First-party Ably package from the same publisher org. ai
phantom-deps phantom-dep:zod AI (phantom-deps): Referenced in config files only; stable false positive. ai
phantom-deps phantom-dep:react AI (phantom-deps): Used in web-cli example/packages, not the main CLI entry; stable false positive. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): Same as react — web-cli example only; stable false positive. ai
phantom-deps phantom-dep:@xterm/xterm AI (phantom-deps): Terminal emulator dep used in web-cli context; stable false positive. ai
install-scripts install-script:postinstall AI (install-scripts): Runs a local welcome script, skips in CI; no network fetch or arbitrary code execution. ai
phantom-deps phantom-dep:@xterm/addon-web-links AI (phantom-deps): xterm addon for web-cli; stable false positive. ai
phantom-deps phantom-dep:@oclif/plugin-autocomplete AI (phantom-deps): Declared as oclif plugin in config, not a direct import; stable false positive. ai
phantom-deps phantom-dep:@oclif/plugin-warn-if-update-available AI (phantom-deps): Declared as oclif plugin in config, not a direct import; stable false positive. ai
phantom-deps phantom-dep:@xterm/addon-fit AI (phantom-deps): xterm addon for web-cli; stable false positive. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped package @ably/cli; edit-distance match to 'joi' is a false positive with no brand impersonation. ai
phantom-deps phantom-dep:ws AI (phantom-deps): Referenced in oclif/runtime config, not a direct import; stable false positive for this CLI package. ai

Versions (showing 5 of 5)

Version Deps Published
1.1.0 27 / 40
1.0.0 25 / 40
0.17.0 24 / 41
0.16.0 25 / 41
0.15.0 25 / 41

v1.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: [ "$CI" = "true" ] || (test -f ./dist/scripts/postinstall-welcome.js && node ./dist/scripts/postinstall-welcome.js || echo "Skipping welcome script (not found)")

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.