@cleocode/nexus
CLEO project registry and code intelligence — unified nexus package
28
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
kryptobaseddev
Keywords
cleonexuscode-intelligencetree-sitterproject-registry
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:graphology-communities-louvain | AI (phantom-deps): Config-file-only reference; consistent with how tree-sitter and graphology plugins are declared but loaded dynamically. | ai | |
| phantom-deps | phantom-dep:tree-sitter-c | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tree-sitter-go | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tree-sitter-cpp | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tree-sitter-java | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tree-sitter-rust | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:tree-sitter-python | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| phantom-deps | phantom-dep:graphology-types | AI (phantom-deps): Type definitions for graphology; phantom-dep pattern is expected for TypeScript type packages. | ai | |
| phantom-deps | phantom-dep:tree-sitter-ruby | AI (phantom-deps): Tree-sitter language bindings are dynamically loaded; phantom-dep pattern is expected for this package type. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): Package is scoped under @cleocode and is a code intelligence nexus/hub package — not an impersonation of Next.js. Edit distance of 2 is coincidental given the different namespace and purpose. | ai |
Versions (showing 28 of 233)
| Version | Deps | Published |
|---|---|---|
| 2026.4.63 | 15 / 3 | |
| 2026.4.62 | 15 / 3 | |
| 2026.4.60 | 15 / 3 | |
| 2026.4.59 | 15 / 3 | |
| 2026.4.58 | 15 / 3 | |
| 2026.4.57 | 15 / 3 | |
| 2026.4.56 | 15 / 3 | |
| 2026.4.55 | 15 / 3 | |
| 2026.4.54 | 15 / 3 | |
| 2026.4.53 | 15 / 3 | |
| 2026.4.52 | 15 / 3 | |
| 2026.4.51 | 15 / 3 | |
| 2026.4.50 | 15 / 3 | |
| 2026.4.49 | 15 / 3 | |
| 2026.4.48 | 15 / 3 | |
| 2026.4.47 | 15 / 3 | |
| 2026.4.46 | 15 / 3 | |
| 2026.4.45 | 15 / 3 | |
| 2026.4.44 | 15 / 3 | |
| 2026.4.42 | 15 / 3 | |
| 2026.4.41 | 15 / 3 | |
| 2026.4.40 | 15 / 3 | |
| 2026.4.39 | 15 / 3 | |
| 2026.4.38 | 15 / 3 | |
| 2026.4.37 | 15 / 3 | |
| 2026.4.36 | 15 / 3 | |
| 2026.4.35 | 15 / 3 | |
| 0.1.0 | 15 / 3 |
v2026.4.55
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.4.42
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.