@constellationdev/cli
Codebase Understanding for AI Coding Agents
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:tree-sitter-python | AI (phantom-deps): Native tree-sitter grammar; correctly declared as dependency. | ai | |
| phantom-deps | phantom-dep:tree-sitter-javascript | AI (phantom-deps): Native tree-sitter grammar; correctly declared as dependency. | ai | |
| phantom-deps | phantom-dep:tree-sitter-typescript | AI (phantom-deps): Native tree-sitter grammar; correctly declared as dependency. | ai | |
| phantom-deps | phantom-dep:@constellationdev/types | AI (phantom-deps): Same-org type definitions package; expected dependency for this CLI. | ai | |
| phantom-deps | phantom-dep:vscode-languageserver-protocol | AI (phantom-deps): Bundled CLI; LSP protocol types used in source and bundled into dist. | ai | |
| phantom-deps | phantom-dep:ansi-colors | AI (phantom-deps): Bundled CLI; ansi-colors is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:tree-sitter | AI (phantom-deps): Native binding; tree-sitter cannot be bundled and is correctly declared as dependency. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Bundled CLI (tsup); deps are consumed in source and bundled into dist. Declared deps are correct. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Bundled CLI; zod is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Bundled CLI; yaml is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Bundled CLI; ignore is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:undici | AI (phantom-deps): Known runtime/implicit dependency used for HTTP requests in bundled CLI. | ai | |
| phantom-deps | phantom-dep:tsconfck | AI (phantom-deps): Bundled CLI; tsconfck is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:simple-git | AI (phantom-deps): Bundled CLI; simple-git is used in source and bundled into dist output. | ai | |
| phantom-deps | phantom-dep:@scure/base | AI (phantom-deps): Bundled CLI; @scure/base is used in source and bundled into dist output. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @constellationdev/cli is not a plausible typosquat of 'joi'; different domain, purpose, and namespace. Levenshtein match is a false positive. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.1.0 | 19 / 18 | |
| 1.0.0 | 18 / 18 | |
| 0.8.1 | 18 / 18 | |
| 0.8.0 | 18 / 18 | |
| 0.7.1 | 17 / 18 | |
| 0.7.0 | 17 / 18 | |
| 0.6.2 | 17 / 18 | |
| 0.6.1 | 17 / 18 | |
| 0.6.0 | 17 / 18 | |
| 0.5.1 | 17 / 18 |
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.