@akanjs/cli
The official command-line interface for the Akan.js ecosystem, providing powerful development tools for creating, managing, and deploying modern web applications with ease.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-bulk-read | AI (semgrep): Used to forward env to child build processes; standard CLI/build-tool pattern for this package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Fires on openBrowser() which uses detached spawn to open a URL in the OS browser — standard pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same openBrowser() call site; variable-command variant of the same benign pattern. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): IP is 127.0.0.1:4873 — local Verdaccio registry default, not an external exfiltration endpoint. | ai | |
| phantom-deps | phantom-dep:daisyui | AI (phantom-deps): Tailwind plugin; referenced in config files rather than imported directly — expected usage pattern. | ai | |
| phantom-deps | phantom-dep:tailwind-scrollbar | AI (phantom-deps): Tailwind plugin; config-file reference only, not a direct import — expected usage pattern. | ai | |
| dependencies | unvetted-dep:next-pwa | AI (dependencies): next-pwa 5.6.0 is a well-known PWA plugin pinned at a specific version; acceptable for a CLI build tool context. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool executing system commands via child_process is core functionality, not malicious. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @akanjs/cli is not a plausible typosquat of joi; different namespace and purpose. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is declared in package.json dependencies; phantom-dep heuristic is a false positive here. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI devkit tool spreading process.env for build environment configuration is expected behavior. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 2.2.6 | 24 / 0 | |
| 2.2.0 | 24 / 0 | |
| 2.1.0 | 22 / 0 | |
| 1.0.19 | 40 / 0 | |
| 1.0.18 | 40 / 0 | |
| 1.0.17 | 40 / 0 | |
| 1.0.16 | 40 / 0 | |
| 1.0.14 | 40 / 0 | |
| 1.0.13 | 40 / 0 | |
| 1.0.12 | 40 / 0 | |
| 1.0.11 | 40 / 0 | |
| 1.0.10 | 40 / 0 | |
| 1.0.9 | 40 / 0 | |
| 1.0.6 | 40 / 0 | |
| 1.0.4 | 40 / 0 | |
| 1.0.3 | 40 / 0 | |
| 1.0.1 | 40 / 0 | |
| 1.0.0 | 40 / 0 | |
| 0.9.58 | 39 / 0 | |
| 0.9.57 | 39 / 0 | |
| 0.9.55 | 39 / 0 |
v2.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
3 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/akan-team/akanjs/blob/d722ecd64eee83513e33efba7a261b119dcb25fe/index.js#L9537 9535 | function openBrowser(url) { 9536 | const command3 = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", > 9537 | const child = spawn2(command3[0], command3.slice(1), { detached: true, stdio: "ignore" }); 9538 | child.on("error", () => {}); 9539 | child.unref();
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/akan-team/akanjs/blob/d722ecd64eee83513e33efba7a261b119dcb25fe/index.js#L9537 9535 | function openBrowser(url) { 9536 | const command3 = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", > 9537 | const child = spawn2(command3[0], command3.slice(1), { detached: true, stdio: "ignore" }); 9538 | child.on("error", () => {}); 9539 | child.unref();
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
5 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/akan-team/akanjs/blob/cc5790ebbc648de1d8d1e277ebe0a38b0f5d332d/cjs/index.js#L4288 4286 | #getEnv(lib, env = {}) { 4287 | const rootEnv = import_dotenv2.default.parse(lib.workspace.readFile(".env")); > 4288 | return { 4289 | ...process.env, 4290 | ...rootEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/akan-team/akanjs/blob/cc5790ebbc648de1d8d1e277ebe0a38b0f5d332d/cjs/index.js#L4734 4732 | const PORT = basePort ? (basePort + portOffset).toString() : void 0; 4733 | const NEXT_PUBLIC_SERVER_PORT = portOffset ? (8080 + portOffset).toString() : void 0; > 4734 | return { 4735 | ...process.env, 4736 | ...rootEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/akan-team/akanjs/blob/cc5790ebbc648de1d8d1e277ebe0a38b0f5d332d/esm/index.js#L4269 4267 | #getEnv(lib, env = {}) { 4268 | const rootEnv = dotenv2.parse(lib.workspace.readFile(".env")); > 4269 | return { 4270 | ...process.env, 4271 | ...rootEnv,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/akan-team/akanjs/blob/cc5790ebbc648de1d8d1e277ebe0a38b0f5d332d/esm/index.js#L4715 4713 | const PORT = basePort ? (basePort + portOffset).toString() : void 0; 4714 | const NEXT_PUBLIC_SERVER_PORT = portOffset ? (8080 + portOffset).toString() : void 0; > 4715 | return { 4716 | ...process.env, 4717 | ...rootEnv,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.55
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.