@alephium/cli GPL 8 versions

@alephium/cli

npm Repository Homepage

Alephium command line tool

8

Versions

GPL

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

alephium-personaleyetteamikapote

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Spreads env into a local devnet child process; no exfiltration risk.	ai	2026/04/29
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All raw IPs are localhost (127.0.0.1) for local devnet management; not exfiltration.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): CLI tool legitimately uses child_process; expected pattern for this package type.	ai	2026/04/29
semgrep	semgrep:dynamic-require	AI (semgrep): Loads user-specified deployment scripts; documented CLI behavior.	ai	2026/04/29
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped @alephium package; not a typosquat of joi.	ai	2026/04/29
phantom-deps	phantom-dep:@swc/core	AI (phantom-deps): @swc/core is listed as a runtime dep and used via config; phantom-dep heuristic misfires here.	ai	2026/04/29

Versions (showing 8 of 8)

Version	Deps	Published
3.0.4	9 / 4	2026-04-27
3.0.3	9 / 4	2026-04-20
3.0.2	9 / 4	2026-04-14
3.0.1	9 / 4	2026-04-14
3.0.0	9 / 4	2026-04-14
2.0.11	10 / 5	2026-04-08
2.0.10	10 / 5	2026-03-31
2.0.8	10 / 5	2025-11-25

v3.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.