@cabloy/cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@zhennann/ejs | AI (dependencies): Same author's scoped fork; consistent across all versions of this package. | ai | |
| dependencies | unvetted-dep:@zhennann/common-bin | AI (dependencies): Same author's scoped fork; consistent across all versions of this package. | ai | |
| dependencies | unvetted-dep:@cabloy/process-helper | AI (dependencies): Same org scope as this package; stable dependency across versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Part of CabloyJS monorepo; mass-production pattern and sparse README are expected for framework sub-packages. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Incidental edit-distance match; @cabloy/cli is a CLI tool in the CabloyJS framework, not a typosquat of joi. | ai | |
| phantom-deps | phantom-dep:@cabloy/word-utils | AI (phantom-deps): Same org scope; likely used transitively or via re-export within the CabloyJS framework. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 3.1.10 | 22 / 0 | |
| 3.1.7 | 22 / 0 | |
| 3.1.5 | 22 / 0 | |
| 3.1.1 | 22 / 3 | |
| 3.0.103 | 22 / 0 | |
| 3.0.101 | 22 / 0 | |
| 3.0.97 | 21 / 0 | |
| 3.0.96 | 21 / 0 | |
| 3.0.95 | 21 / 0 | |
| 3.0.91 | 21 / 0 | |
| 3.0.88 | 21 / 0 | |
| 3.0.84 | 21 / 0 | |
| 3.0.83 | 21 / 0 | |
| 3.0.80 | 21 / 0 | |
| 3.0.73 | 21 / 0 | |
| 3.0.67 | 21 / 0 | |
| 3.0.61 | 21 / 0 | |
| 3.0.58 | 21 / 0 | |
| 3.0.54 | 21 / 0 | |
| 3.0.12 | 21 / 0 |
v3.1.10
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.7
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.5
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.103
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.101
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.97
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.96
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.95
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.91
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.88
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.84
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.83
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.80
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.73
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.67
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.61
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.58
2 findingsMatched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'zhennann' owns 250 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_DESC_MATCHES_NAME] Description is empty or just restates the package name. • [S_NO_REPO_NO_HOME] No repository, homepage, or bugs URL — genuine packages almost always link somewhere.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.54
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.