@cleocode/cleo-os
CleoOS — the batteries-included agentic development environment wrapping Pi
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@cleocode/paths | AI (phantom-deps): Same-org monorepo sibling; indirect usage via re-export is expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cleocode/contracts | AI (phantom-deps): Same-org monorepo sibling; indirect usage via re-export is expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cleocode/agents | AI (phantom-deps): Same-org monorepo dep; phantom detection is a stable false positive for this package scope. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs a bundled JS file (bin/postinstall.js) for environment setup — standard pattern for CLI/dev-environment tools. No network fetch of arbitrary code or obfuscation. | ai | |
| phantom-deps | phantom-dep:@cleocode/cleo | AI (phantom-deps): @cleocode/cleo is a declared dep in the same org scope; likely used via dynamic import or CLI invocation not detectable by static analysis. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 2026.5.109 | 8 / 2 | |
| 2026.5.88 | 8 / 2 | |
| 2026.4.154 | 6 / 2 | |
| 2026.4.132 | 7 / 2 | |
| 2026.4.109 | 6 / 2 | |
| 2026.4.100 | 6 / 2 | |
| 2026.4.75 | 5 / 2 | |
| 2026.4.67 | 5 / 2 | |
| 2026.4.46 | 5 / 2 | |
| 2026.4.25 | 3 / 2 | |
| 2026.4.23 | 3 / 2 | |
| 2026.4.19 | 3 / 2 |
v2026.5.109
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.88
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.132
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.109
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.100
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.75
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.67
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.46
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.25
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.23
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.19
2 findingsScript: node bin/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.