@ant-design/cli MIT 7 versions

@ant-design/cli

npm Repository Homepage

CLI tool for querying antd knowledge and analyzing antd usage in projects

7

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

afc163zombiejchenshuai2144arvinxxmadccc

Keywords

ant-designantdclicomponentreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation from the official ant-design org; legitimate automation pattern.	ai	2026/05/18
source-diff	source-size-tripled	AI (source-diff): Size increase is from bundled versioned antd component data files (JSON.gz), not injected code payloads.	ai	2026/05/18
publish-pattern	new-deps-added	AI (publish-pattern): oxc-parser is a well-known Rust-based JS parser; appropriate for a CLI that analyzes antd usage in projects.	ai	2026/05/18
typosquat	typosquat.levenshtein:joi	AI (typosquat): Legitimate @ant-design scoped package; Levenshtein match to 'joi' is a false positive with no semantic relationship.	ai	2026/04/29

Versions (showing 7 of 7)

Version	Deps	Published
6.4.2	1 / 12	2026-05-14
6.4.1	1 / 12	2026-05-14
6.4.0	1 / 12	2026-05-14
6.3.7	1 / 10	2026-04-27
6.3.6	1 / 10	2026-04-17
6.3.5	1 / 10	2026-04-02
0.1.0	1 / 6	2026-03-17

v6.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.6

2 findings

HIGH Publisher changed: afc163 → GitHub Actions (on 2026-04-17) provenance

This version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.3.5

2 findings

HIGH Publisher changed: afc163 → GitHub Actions (on 2026-04-02) provenance

This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.