@bitsocial/bitsocial-cli
Command line interface to Bitsocial API
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dep for TypeScript-compiled packages; stable false positive. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): typescript referenced in tsconfig/build config; not a direct import by design. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-help | AI (phantom-deps): oclif plugins declared in oclif config, not imported directly; standard oclif pattern. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-not-found | AI (phantom-deps): Same as plugin-help; oclif config reference, not a direct import. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall downloads SHA256-verified web UI assets; same script is explicitly used in CI; benign for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.19.50 | 18 / 26 | |
| 0.19.49 | 18 / 26 | |
| 0.19.40 | 16 / 26 | |
| 0.19.39 | 16 / 26 |
v0.19.50
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.49
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.