@cleocode/worktree
Native CLEO worktree backend SDK — createWorktree, destroyWorktree, listWorktrees, pruneWorktrees with XDG path canon and declarative hooks (T1161)
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Native NAPI binding package; .node files are the expected build output, backed by SLSA provenance. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is a platform-specific binary loader gated on existsSync; stable false positive for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is a same-org sibling package (@cleocode/paths) pinned to matching calver; consistent monorepo release pattern. | ai | |
| dependencies | unvetted-dep:env-paths | AI (dependencies): env-paths is a well-known sindresorhus utility for XDG/platform paths; its use is appropriate and expected for this package's stated purpose. Stable false positive for this package. | ai |
Versions (showing 51 of 151)
| Version | Deps | Published |
|---|---|---|
| 2026.6.12 | 2 / 4 | |
| 2026.6.11 | 2 / 4 | |
| 2026.6.10 | 2 / 4 | |
| 2026.6.9 | 2 / 4 | |
| 2026.6.8 | 2 / 4 | |
| 2026.6.7 | 2 / 4 | |
| 2026.6.6 | 2 / 4 | |
| 2026.6.5 | 2 / 4 | |
| 2026.6.4 | 2 / 4 | |
| 2026.6.3 | 2 / 4 | |
| 2026.6.2 | 2 / 4 | |
| 2026.6.1 | 2 / 4 | |
| 2026.6.0 | 2 / 4 | |
| 2026.5.134 | 2 / 4 | |
| 2026.5.133 | 2 / 4 | |
| 2026.5.132 | 2 / 4 | |
| 2026.5.131 | 2 / 4 | |
| 2026.5.130 | 2 / 4 | |
| 2026.5.129 | 2 / 4 | |
| 2026.5.128 | 2 / 4 | |
| 2026.5.127 | 2 / 4 | |
| 2026.5.126 | 2 / 4 | |
| 2026.5.125 | 2 / 4 | |
| 2026.5.124 | 2 / 4 | |
| 2026.5.123 | 2 / 4 | |
| 2026.5.122 | 2 / 4 | |
| 2026.5.121 | 2 / 4 | |
| 2026.5.120 | 2 / 4 | |
| 2026.5.114 | 2 / 4 | |
| 2026.5.113 | 2 / 4 | |
| 2026.5.112 | 2 / 4 | |
| 2026.5.111 | 2 / 4 | |
| 2026.5.110 | 2 / 4 | |
| 2026.5.109 | 2 / 4 | |
| 2026.5.108 | 2 / 4 | |
| 2026.5.107 | 2 / 4 | |
| 2026.5.106 | 2 / 4 | |
| 2026.5.105 | 2 / 4 | |
| 2026.5.104 | 2 / 4 | |
| 2026.5.103 | 3 / 4 | |
| 2026.5.100 | 2 / 4 | |
| 2026.5.99 | 2 / 4 | |
| 2026.5.98 | 2 / 4 | |
| 2026.5.97 | 2 / 4 | |
| 2026.5.96 | 2 / 4 | |
| 2026.5.95 | 2 / 4 | |
| 2026.5.94 | 2 / 4 | |
| 2026.5.93 | 2 / 4 | |
| 2026.5.92 | 2 / 4 | |
| 2026.5.90 | 2 / 4 | |
| 2026.5.89 | 2 / 4 |
v2026.6.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.134
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.133
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.132
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.131
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.130
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.129
2 findingsPackage contains compiled binaries that could be backdoors: • native/worktree-napi.darwin-arm64.node • native/worktree-napi.linux-arm64-gnu.node • native/worktree-napi.linux-x64-gnu.node • native/worktree-napi.win32-x64-msvc.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.128
2 findingsPackage contains compiled binaries that could be backdoors: • native/worktree-napi.darwin-arm64.node • native/worktree-napi.linux-arm64-gnu.node • native/worktree-napi.linux-x64-gnu.node • native/worktree-napi.win32-x64-msvc.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.127
2 findingsPackage contains compiled binaries that could be backdoors: • native/worktree-napi.darwin-arm64.node • native/worktree-napi.linux-arm64-gnu.node • native/worktree-napi.linux-x64-gnu.node • native/worktree-napi.win32-x64-msvc.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.126
2 findingsPackage contains compiled binaries that could be backdoors: • native/worktree-napi.darwin-arm64.node • native/worktree-napi.linux-arm64-gnu.node • native/worktree-napi.linux-x64-gnu.node • native/worktree-napi.win32-x64-msvc.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.125
2 findingsPackage contains compiled binaries that could be backdoors: • native/worktree-napi.darwin-arm64.node • native/worktree-napi.linux-arm64-gnu.node • native/worktree-napi.linux-x64-gnu.node • native/worktree-napi.win32-x64-msvc.node
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.124
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.123
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.122
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.121
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.120
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.114
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.113
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.112
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.111
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.110
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.109
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.108
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.107
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.106
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.105
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.104
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.103
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.100
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.99
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.98
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.97
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.96
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.95
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.94
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.93
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.90
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2026.5.89
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.