@backstage/cli
CLI for developing Backstage plugins and apps
13
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
patrikofrebenmarcuseide
Keywords
backstage
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): CLI tool; deps referenced via config/runtime loading, not direct imports. | ai | |
| dependencies | unvetted-dep:@octokit/graphql-schema | AI (dependencies): Official Octokit org package providing GitHub GraphQL schema types; expected dependency for Backstage CLI's GitHub integration. | ai | |
| phantom-deps | phantom-dep:@svgr/plugin-svgo | AI (phantom-deps): Config-referenced SVGR plugin; stable CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:terser-webpack-plugin | AI (phantom-deps): Config-referenced webpack plugin; stable CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:@octokit/oauth-app | AI (phantom-deps): Config-referenced dep; stable CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:@svgr/plugin-jsx | AI (phantom-deps): Config-referenced SVGR plugin; stable CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:@octokit/graphql | AI (phantom-deps): Referenced in config files; consistent with CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:@backstage/types | AI (phantom-deps): Same-org package used via config convention, not direct import; stable for this package. | ai | |
| phantom-deps | phantom-dep:@svgr/core | AI (phantom-deps): CLI tool references deps via webpack/rollup config files, not direct imports; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@sucrase/webpack-loader | AI (phantom-deps): Config-referenced webpack loader; stable CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:@octokit/graphql-schema | AI (phantom-deps): Config-referenced dep; stable CLI tool pattern. | ai | |
| dependencies | unvetted-dep:@spotify/eslint-config-react | AI (dependencies): Spotify ESLint config; standard dep for Backstage CLI. | ai | |
| dependencies | unvetted-dep:@spotify/eslint-config-typescript | AI (dependencies): Spotify ESLint config; standard dep for Backstage CLI. | ai | |
| phantom-deps | phantom-dep:jest | AI (phantom-deps): CLI configures Jest; referenced in config files by design. | ai | |
| phantom-deps | phantom-dep:jest-cli | AI (phantom-deps): CLI configures Jest; referenced in config files by design. | ai | |
| phantom-deps | phantom-dep:@types/jest | AI (phantom-deps): Type package loaded by convention in Jest-configuring CLI. | ai | |
| phantom-deps | phantom-dep:json-schema | AI (phantom-deps): Referenced in config files; stable false positive for this CLI. | ai | |
| phantom-deps | phantom-dep:eslint-formatter-friendly | AI (phantom-deps): Referenced in ESLint config files; expected for this CLI. | ai | |
| phantom-deps | phantom-dep:@spotify/eslint-config-react | AI (phantom-deps): Referenced in ESLint config files; expected for this CLI. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-unused-imports | AI (phantom-deps): Referenced in ESLint config files; expected for this CLI. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): Referenced in ESLint config files; expected for this CLI. | ai | |
| phantom-deps | phantom-dep:@spotify/eslint-config-typescript | AI (phantom-deps): Referenced in ESLint config files; expected for this CLI. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Established templating library; standard dep for Backstage CLI scaffolding. | ai | |
| dependencies | unvetted-dep:replace-in-file | AI (dependencies): Common file-manipulation utility; expected in a CLI tool. | ai | |
| dependencies | unvetted-dep:jest-css-modules | AI (dependencies): Jest transform helper; expected in a CLI that configures Jest. | ai | |
| dependencies | unvetted-dep:eslint-formatter-friendly | AI (dependencies): ESLint formatter; expected in a CLI that bundles ESLint config. | ai | |
| dependencies | unvetted-dep:eslint-plugin-deprecation | AI (dependencies): ESLint plugin; expected in a CLI that bundles ESLint config. | ai | |
| dependencies | unvetted-dep:@spotify/eslint-config-base | AI (dependencies): Spotify ESLint config; standard dep for Backstage CLI. | ai | |
| dependencies | unvetted-dep:@backstage/release-manifests | AI (dependencies): Same-org Backstage package; expected internal dep. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-hooks | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): CLI tooling; glob referenced in config files, not direct imports — stable FP for this package. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Referenced in config files; stable FP for this CLI package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): ESLint is a peer/config dep for this CLI; stable FP. | ai | |
| phantom-deps | phantom-dep:pirates | AI (phantom-deps): Used transitively via sucrase/config; stable FP for this CLI. | ai | |
| phantom-deps | phantom-dep:sucrase | AI (phantom-deps): Referenced in config files; stable FP for this CLI package. | ai | |
| phantom-deps | phantom-dep:@swc/core | AI (phantom-deps): SWC is a build/test tool dep referenced in config; stable FP. | ai | |
| phantom-deps | phantom-dep:@swc/jest | AI (phantom-deps): Jest transform dep referenced in config; stable FP. | ai | |
| phantom-deps | phantom-dep:cross-fetch | AI (phantom-deps): Utility dep referenced in config; stable FP for this CLI. | ai | |
| phantom-deps | phantom-dep:jest-css-modules | AI (phantom-deps): Jest config dep; stable FP for this CLI package. | ai | |
| phantom-deps | phantom-dep:@types/webpack-env | AI (phantom-deps): Type-only dep loaded by convention; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jest | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:@manypkg/get-packages | AI (phantom-deps): Monorepo tooling dep referenced in config; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint parser referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-deprecation | AI (phantom-deps): ESLint plugin referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:@spotify/eslint-config-base | AI (phantom-deps): ESLint config referenced in config files; stable FP. | ai | |
| phantom-deps | phantom-dep:@backstage/eslint-plugin | AI (phantom-deps): Same-org package; phantom detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@backstage/catalog-model | AI (phantom-deps): Same-org package; phantom detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@backstage/integration | AI (phantom-deps): Same-org package; phantom detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:git-url-parse | AI (phantom-deps): Referenced in config files; expected for a CLI that handles git repository operations. | ai | |
| phantom-deps | phantom-dep:global-agent | AI (phantom-deps): Referenced in config files for proxy support; expected for a CLI tool. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): Buffer is declared as a dependency for browser polyfill use in webpack/rspack configs — expected for a build CLI tool. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): PostCSS is referenced in build config files; expected for a CLI that handles CSS bundling. | ai | |
| provenance | no-provenance | AI (provenance): Backstage CLI is a well-established package from the official backstage/backstage monorepo; lack of provenance is acceptable given its age and ecosystem standing. | ai | |
| phantom-deps | phantom-dep:@swc/helpers | AI (phantom-deps): SWC helpers are a known implicit dependency when using @swc/core for transpilation. | ai | |
| phantom-deps | phantom-dep:undici | AI (phantom-deps): undici is a known implicit/runtime dependency; expected for a CLI making HTTP requests. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): esbuild is a known implicit/binary dependency for build tooling; analyzer correctly flags as such. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in eslint-factory.js loads package.json from a user-specified project directory — standard CLI behavior for inspecting project structure, not arbitrary code loading. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @backstage/cli cannot be a typosquat of unscoped 'joi'; edit-distance comparison across scoped/unscoped namespaces is a false positive for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.36.2 | 35 / 22 | |
| 0.36.1 | 35 / 23 | |
| 0.36.0 | 35 / 23 | |
| 0.35.4 | 99 / 47 | |
| 0.35.3 | 97 / 47 | |
| 0.35.2 | 97 / 47 | |
| 0.35.1 | 97 / 47 | |
| 0.35.0 | 97 / 47 | |
| 0.34.6 | 102 / 43 | |
| 0.34.5 | 102 / 43 | |
| 0.34.4 | 102 / 43 | |
| 0.34.3 | 105 / 43 | |
| 0.33.1 | 114 / 38 |
v0.36.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.