@c15t/cli
CLI for rapid c15t setup. Scaffold React and Next.js cookie banners and a preference center, generate types and config, and run migration tooling for self-hosted deployments.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): 112 new files consistent with v2 major rewrite; SLSA attestation covers the build. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Major version rewrite (v1→v2) with MCP integration explains 3x size growth; SLSA provenance confirms CI build integrity. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): xstate, evlog, @modelcontextprotocol/sdk are established packages added as part of documented v2 MCP feature. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI with SLSA attestation; stable signal for this package. | ai | |
| phantom-deps | phantom-dep:@types/better-sqlite3 | AI (phantom-deps): Framework-scoped types; loaded by convention for better-sqlite3. | ai | |
| phantom-deps | phantom-dep:jiti | AI (phantom-deps): Config-referenced loader; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@mrleebo/prisma-ast | AI (phantom-deps): Config-referenced schema parser; stable pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @c15t/cli is a consent-management CLI; Levenshtein match to 'joi' is a false positive with no impersonation intent. | ai | |
| phantom-deps | phantom-dep:@modelcontextprotocol/sdk | AI (phantom-deps): Listed as direct dependency; phantom-dep heuristic misfires on config-referenced usage. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a direct dependency in package.json; phantom-dep heuristic misfires on bundled/config usage. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 16 / 6 | |
| 2.0.4 | 15 / 6 | |
| 2.0.2 | 15 / 6 | |
| 2.0.1 | 15 / 6 | |
| 2.0.0 | 15 / 6 | |
| 1.8.6 | 18 / 4 | |
| 1.8.5 | 18 / 4 | |
| 1.8.4 | 18 / 4 | |
| 1.8.3 | 18 / 4 | |
| 1.8.2 | 18 / 4 | |
| 1.8.1 | 18 / 4 | |
| 1.8.0 | 18 / 4 |
v2.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.