@azure-tools/typespec-client-generator-cli
A tool to generate Azure SDKs from TypeSpec
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@azure-tools/rest-api-diff | AI (phantom-deps): Same org scope; referenced indirectly as expected for this toolchain. | ai | |
| phantom-deps | phantom-dep:autorest | AI (phantom-deps): autorest is a CLI tool invoked by config, not imported directly; expected for this SDK gen tool. | ai | |
| phantom-deps | phantom-dep:@autorest/core | AI (phantom-deps): Referenced in config files as documented; not a direct import. | ai | |
| phantom-deps | phantom-dep:@autorest/openapi-to-typespec | AI (phantom-deps): Referenced in config files; not a direct import, expected for this tool. | ai | |
| phantom-deps | phantom-dep:@azure/core-rest-pipeline | AI (phantom-deps): Azure SDK framework-scoped dependency; loaded by convention in Azure tools. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Tool package with GitHub-hosted docs; README links are legitimate references, not phishing. | ai | |
| phantom-deps | phantom-dep:@types/yargs | AI (phantom-deps): Type definitions loaded by yargs convention; stable pattern for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.33.1 | 11 / 11 | |
| 0.33.0 | 9 / 11 | |
| 0.32.1 | 9 / 11 | |
| 0.32.0 | 9 / 11 | |
| 0.29.1 | 12 / 11 | |
| 0.28.2 | 12 / 11 | |
| 0.28.1 | 12 / 11 | |
| 0.28.0 | 12 / 11 | |
| 0.27.0 | 12 / 11 | |
| 0.23.0 | 12 / 11 | |
| 0.22.0 | 13 / 11 | |
| 0.21.0 | 13 / 11 |
v0.33.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.