@codemation/cli
The **Codemation command-line** package: parse arguments, wire a small composition root, and run **build**, **dev**, **serve**, and **user** subcommands against a **consumer project** (your app that defines `codemation.config.ts` and workflows).
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:execa | AI (phantom-deps): execa is a declared runtime dep used via config/scripts; phantom-dep heuristic is a false positive here. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard child-process env passing pattern in a CLI tool; not credential exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Fires on 127.0.0.1 (localhost) for local dev gateway URL construction; benign for a CLI tool. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @codemation/cli; edit-distance match to 'joi' is a false positive. | ai | |
| phantom-deps | phantom-dep:bcryptjs | AI (phantom-deps): bcryptjs is listed as a runtime dependency; phantom-dep heuristic is a false positive here. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.0.0 | 17 / 9 | |
| 0.0.39 | 16 / 9 | |
| 0.0.36 | 16 / 9 | |
| 0.0.35 | 16 / 9 | |
| 0.0.34 | 16 / 9 | |
| 0.0.32 | 15 / 9 | |
| 0.0.29 | 15 / 9 | |
| 0.0.28 | 15 / 9 | |
| 0.0.25 | 15 / 9 |
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.29
2 findingsSpreading entire process.env into an object — may capture all secrets 43 | cwd: nextHostCommand.cwd, 44 | stdio: "inherit", > 45 | env: { 46 | ...process.env, 47 | ...consumerEnv,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.28
2 findingsSpreading entire process.env into an object — may capture all secrets 43 | cwd: nextHostCommand.cwd, 44 | stdio: "inherit", > 45 | env: { 46 | ...process.env, 47 | ...consumerEnv,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.25
2 findingsSpreading entire process.env into an object — may capture all secrets 43 | cwd: nextHostCommand.cwd, 44 | stdio: "inherit", > 45 | env: { 46 | ...process.env, 47 | ...consumerEnv,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.