@constructive-io/cli
Constructive CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): CLI deployment tool intentionally passes env vars to child processes; env-spread is expected behavior here. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately uses child_process for deployment commands; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:pg-env | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:shelljs | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/types | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/server-utils | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:find-and-require-package-json | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/core | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:pgpm | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @constructive-io/cli vs 'joi' is a false positive; edit-distance comparison across scoped names is meaningless here. | ai | |
| phantom-deps | phantom-dep:@constructive-io/graphql-types | AI (phantom-deps): Same-org dependency; likely used via config/re-export pattern, stable false positive. | ai |
Versions (showing 100 of 269)
| Version | Deps | Published |
|---|---|---|
| 7.23.9 | 20 / 9 | |
| 7.23.8 | 20 / 9 | |
| 7.23.7 | 20 / 9 | |
| 7.23.6 | 20 / 9 | |
| 7.23.5 | 20 / 9 | |
| 7.23.4 | 20 / 9 | |
| 7.23.3 | 20 / 9 | |
| 7.23.2 | 20 / 9 | |
| 7.23.1 | 20 / 9 | |
| 7.23.0 | 20 / 9 | |
| 7.22.5 | 20 / 9 | |
| 7.22.4 | 20 / 9 | |
| 7.22.3 | 20 / 9 | |
| 7.22.2 | 20 / 9 | |
| 7.22.1 | 20 / 9 | |
| 7.22.0 | 20 / 9 | |
| 7.21.7 | 20 / 9 | |
| 7.21.6 | 20 / 9 | |
| 7.21.5 | 20 / 9 | |
| 7.21.4 | 20 / 9 | |
| 7.21.3 | 20 / 9 | |
| 7.21.2 | 20 / 9 | |
| 7.21.1 | 20 / 9 | |
| 7.21.0 | 20 / 9 | |
| 7.20.10 | 20 / 9 | |
| 7.20.9 | 20 / 9 | |
| 7.20.8 | 20 / 9 | |
| 7.20.7 | 20 / 9 | |
| 7.20.6 | 20 / 9 | |
| 7.20.5 | 20 / 9 | |
| 7.20.4 | 20 / 9 | |
| 7.20.3 | 20 / 9 | |
| 7.20.2 | 20 / 9 | |
| 7.20.0 | 20 / 9 | |
| 7.19.8 | 20 / 9 | |
| 7.19.7 | 20 / 9 | |
| 7.19.6 | 20 / 9 | |
| 7.19.5 | 20 / 9 | |
| 7.19.4 | 20 / 9 | |
| 7.19.3 | 20 / 9 | |
| 7.19.2 | 20 / 9 | |
| 7.19.1 | 20 / 9 | |
| 7.19.0 | 20 / 9 | |
| 7.18.2 | 20 / 9 | |
| 7.18.1 | 20 / 9 | |
| 7.18.0 | 20 / 9 | |
| 7.17.4 | 20 / 9 | |
| 7.17.3 | 20 / 9 | |
| 7.17.2 | 20 / 9 | |
| 7.17.1 | 20 / 9 | |
| 7.17.0 | 20 / 9 | |
| 7.16.4 | 20 / 9 | |
| 7.16.3 | 20 / 9 | |
| 7.16.2 | 20 / 9 | |
| 7.16.1 | 20 / 9 | |
| 7.16.0 | 20 / 9 | |
| 7.15.1 | 20 / 9 | |
| 7.15.0 | 20 / 9 | |
| 7.14.1 | 20 / 9 | |
| 7.14.0 | 20 / 9 | |
| 7.13.13 | 20 / 9 | |
| 7.13.12 | 20 / 9 | |
| 7.13.11 | 20 / 9 | |
| 7.13.10 | 20 / 9 | |
| 7.13.9 | 20 / 9 | |
| 7.13.8 | 20 / 9 | |
| 7.13.7 | 20 / 9 | |
| 7.13.6 | 20 / 9 | |
| 7.13.5 | 20 / 9 | |
| 7.13.4 | 20 / 9 | |
| 7.13.3 | 20 / 9 | |
| 7.13.2 | 20 / 9 | |
| 7.13.1 | 20 / 9 | |
| 7.13.0 | 20 / 9 | |
| 7.12.8 | 20 / 9 | |
| 7.12.7 | 20 / 9 | |
| 7.12.6 | 20 / 9 | |
| 7.12.5 | 20 / 9 | |
| 7.12.4 | 20 / 9 | |
| 7.12.3 | 20 / 9 | |
| 7.12.2 | 20 / 9 | |
| 7.12.1 | 20 / 9 | |
| 7.12.0 | 20 / 9 | |
| 7.11.21 | 20 / 9 | |
| 7.11.20 | 20 / 9 | |
| 7.11.19 | 20 / 9 | |
| 7.11.18 | 20 / 9 | |
| 7.11.17 | 20 / 9 | |
| 7.11.16 | 20 / 9 | |
| 7.11.15 | 20 / 9 | |
| 7.11.14 | 20 / 9 | |
| 7.11.13 | 20 / 9 | |
| 7.11.12 | 20 / 9 | |
| 7.11.11 | 20 / 9 | |
| 7.11.10 | 20 / 9 | |
| 7.11.9 | 20 / 9 | |
| 7.11.8 | 20 / 9 | |
| 7.11.7 | 20 / 9 | |
| 7.11.6 | 20 / 9 | |
| 7.11.5 | 20 / 9 |
v7.23.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.13.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.