@backtest-kit/cli — Greenflagged

Zero-boilerplate CLI runner for backtest-kit strategies. Run backtests, paper trading, and live bots with candle cache warming, web dashboard, and Telegram notifications — no setup code required.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tripolskypetr

Keywords

backtestbacktestingtradingclicryptocurrencycryptolive-tradingpaper-tradingtelegrambinanceccxtcandle-cachestrategytypescriptmonorepo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:telegraf	AI (dependencies): telegraf is the standard Telegram bot framework; expected for a CLI with Telegram notifications.	ai	2026/05/29
phantom-deps	phantom-dep:markdownlint	AI (phantom-deps): Referenced in config files per finding; stable false positive for this package.	ai	2026/05/29
phantom-deps	phantom-dep:get-moment-stamp	AI (phantom-deps): Referenced in config files per finding; stable false positive for this package.	ai	2026/05/29
dependencies	unvetted-dep:ccxt	AI (dependencies): ccxt is the canonical crypto exchange library; expected core dep for a backtesting CLI.	ai	2026/05/29
phantom-deps	phantom-dep:di-scoped	AI (phantom-deps): Referenced in config files per finding; stable false positive for this package.	ai	2026/05/29
semgrep	semgrep:toplevel-fetch	AI (semgrep): fetch_docs.mjs is a template script that fetches README docs for listed libraries; not exfiltration.	ai	2026/05/02
typosquat	typosquat.levenshtein:joi	AI (typosquat): @backtest-kit/cli is a scoped crypto backtesting CLI; no relation to joi validation library.	ai	2026/05/02

Versions (showing 4 of 4)

Version	Deps	Published
9.8.3	16 / 25	2026-05-26
6.0.0	15 / 25	2026-03-31
5.11.1	15 / 25	2026-03-30
0.0.2	15 / 17	2026-02-24

v9.8.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.11.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.