@botonic/cli
Build Chatbots Using React
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Runs a local node script for CLI setup; stable pattern across this package's many versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads user-supplied bot config file by path; documented CLI behavior, not arbitrary code loading. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately uses child_process for build/deploy operations; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:zip-a-folder | AI (dependencies): zip-a-folder is a legitimate archiving utility appropriate for a chatbot CLI tool; stable use across versions. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @botonic/cli is a legitimate Botonic framework CLI, not a typosquat of joi. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-help | AI (phantom-deps): Referenced in oclif config block in package.json as a plugin, not a direct import; expected pattern. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; stable false positive for TS packages. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.49.0 | 11 / 8 | |
| 0.48.1 | 11 / 8 | |
| 0.48.0 | 11 / 8 | |
| 0.47.0 | 11 / 8 | |
| 0.46.0 | 11 / 8 | |
| 0.45.0 | 11 / 8 | |
| 0.44.0 | 11 / 13 | |
| 0.43.0 | 11 / 15 | |
| 0.42.0 | 10 / 15 | |
| 0.39.1 | 20 / 9 | |
| 0.37.1 | 20 / 9 | |
| 0.36.0 | 20 / 9 | |
| 0.35.0 | 19 / 9 |
v0.49.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.48.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.48.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.47.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.45.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.44.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.42.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.39.1
2 findingsScript: node scripts/postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.37.1
2 findingsScript: node scripts/postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.0
2 findingsScript: node scripts/postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.35.0
2 findingsScript: node scripts/postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.