@capgo/cli
A CLI to upload to capgo servers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped CLI package for Capgo; Levenshtein match to 'joi' is a false positive with no brand impersonation. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai | |
| phantom-deps | phantom-dep:@inkjs/ui | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai | |
| phantom-deps | phantom-dep:node-forge | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): Listed as runtime dependency; bundled output may not show direct imports. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 7.94.2 | 7 / 35 | |
| 7.93.4 | 7 / 35 | |
| 7.93.3 | 7 / 35 | |
| 7.93.2 | 7 / 35 | |
| 7.93.1 | 7 / 35 | |
| 7.92.2 | 7 / 35 | |
| 7.92.1 | 7 / 35 | |
| 7.92.0 | 7 / 35 | |
| 7.91.0 | 7 / 35 | |
| 7.90.0 | 7 / 35 | |
| 7.89.6 | 7 / 35 | |
| 7.89.5 | 7 / 35 | |
| 7.89.4 | 7 / 35 | |
| 7.89.2 | 7 / 35 | |
| 7.88.9 | 6 / 34 | |
| 7.88.8 | 6 / 34 | |
| 7.88.7 | 6 / 34 | |
| 7.88.6 | 6 / 34 | |
| 7.88.5 | 6 / 34 | |
| 7.88.4 | 6 / 34 | |
| 7.88.3 | 6 / 34 | |
| 7.88.2 | 6 / 34 | |
| 7.88.1 | 6 / 34 | |
| 7.88.0 | 6 / 34 | |
| 7.87.0 | 0 / 31 | |
| 7.86.1 | 0 / 31 | |
| 7.86.0 | 0 / 31 | |
| 7.85.0 | 0 / 30 | |
| 7.84.10 | 0 / 30 | |
| 7.84.9 | 0 / 30 | |
| 7.84.8 | 0 / 30 | |
| 7.84.7 | 0 / 30 | |
| 7.84.6 | 0 / 30 |
v7.94.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.93.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.93.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.93.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.93.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.92.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.92.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.92.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.91.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.90.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.89.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.89.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.89.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.89.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.88.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.87.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.86.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.86.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.85.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.84.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.84.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.84.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.84.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.84.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.