@constructive-io/cli
Constructive CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): CLI deployment tool intentionally passes env vars to child processes; env-spread is expected behavior here. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately uses child_process for deployment commands; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:pg-env | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:shelljs | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/types | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/server-utils | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:find-and-require-package-json | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@pgpmjs/core | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:pgpm | AI (phantom-deps): CLI tool; deps referenced in config files, not direct imports — stable pattern for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @constructive-io/cli vs 'joi' is a false positive; edit-distance comparison across scoped names is meaningless here. | ai | |
| phantom-deps | phantom-dep:@constructive-io/graphql-types | AI (phantom-deps): Same-org dependency; likely used via config/re-export pattern, stable false positive. | ai |
Versions (showing 69 of 277)
| Version | Deps | Published |
|---|---|---|
| 5.6.22 | 18 / 10 | |
| 5.6.21 | 18 / 10 | |
| 5.6.20 | 18 / 10 | |
| 5.6.18 | 18 / 10 | |
| 5.6.17 | 18 / 10 | |
| 5.6.16 | 18 / 10 | |
| 5.6.15 | 18 / 10 | |
| 5.6.14 | 18 / 10 | |
| 5.6.13 | 18 / 10 | |
| 5.6.12 | 18 / 10 | |
| 5.6.11 | 18 / 10 | |
| 5.6.10 | 18 / 10 | |
| 5.6.9 | 18 / 10 | |
| 5.6.8 | 18 / 10 | |
| 5.6.7 | 18 / 10 | |
| 5.6.6 | 18 / 10 | |
| 5.6.5 | 18 / 10 | |
| 5.6.4 | 18 / 10 | |
| 5.6.3 | 18 / 10 | |
| 5.6.2 | 18 / 10 | |
| 5.6.1 | 18 / 10 | |
| 5.6.0 | 18 / 10 | |
| 5.5.0 | 18 / 10 | |
| 5.4.13 | 18 / 10 | |
| 5.4.12 | 18 / 10 | |
| 5.4.11 | 18 / 10 | |
| 5.4.10 | 18 / 10 | |
| 5.4.9 | 18 / 10 | |
| 5.4.8 | 18 / 10 | |
| 5.4.7 | 18 / 10 | |
| 5.4.6 | 18 / 10 | |
| 5.4.5 | 18 / 10 | |
| 5.4.4 | 18 / 10 | |
| 5.4.3 | 18 / 10 | |
| 5.4.2 | 18 / 10 | |
| 5.4.1 | 18 / 10 | |
| 5.4.0 | 18 / 10 | |
| 5.3.1 | 18 / 10 | |
| 5.3.0 | 18 / 10 | |
| 5.2.2 | 17 / 10 | |
| 5.2.1 | 17 / 10 | |
| 5.2.0 | 17 / 10 | |
| 5.1.24 | 17 / 10 | |
| 5.1.23 | 17 / 10 | |
| 5.1.22 | 17 / 10 | |
| 5.1.21 | 17 / 10 | |
| 5.1.20 | 17 / 10 | |
| 5.1.19 | 17 / 10 | |
| 5.1.18 | 17 / 10 | |
| 5.1.17 | 17 / 10 | |
| 5.1.16 | 17 / 10 | |
| 5.1.15 | 17 / 10 | |
| 5.1.14 | 17 / 10 | |
| 5.1.13 | 17 / 10 | |
| 5.1.12 | 17 / 10 | |
| 5.1.11 | 17 / 10 | |
| 5.1.10 | 17 / 10 | |
| 5.1.9 | 17 / 10 | |
| 5.1.8 | 17 / 10 | |
| 5.1.7 | 17 / 10 | |
| 5.1.6 | 17 / 10 | |
| 5.1.5 | 17 / 10 | |
| 5.1.4 | 17 / 10 | |
| 5.1.3 | 17 / 10 | |
| 5.1.2 | 17 / 10 | |
| 5.1.1 | 17 / 10 | |
| 5.1.0 | 17 / 10 | |
| 0.0.3 | 12 / 9 | |
| 0.0.2 | 12 / 9 |
v5.6.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
3 findingsSpreading entire process.env into an object — may capture all secrets 61 | return new Promise((resolve, reject) => { 62 | const envVars = configToEnvVars(config); > 63 | const env = { 64 | ...process.env, 65 | ...envVars
Spreading entire process.env into an object — may capture all secrets 59 | return new Promise((resolve, reject) => { 60 | const envVars = configToEnvVars(config); > 61 | const env = { 62 | ...process.env, 63 | ...envVars
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
3 findingsSpreading entire process.env into an object — may capture all secrets 61 | return new Promise((resolve, reject) => { 62 | const envVars = configToEnvVars(config); > 63 | const env = { 64 | ...process.env, 65 | ...envVars
Spreading entire process.env into an object — may capture all secrets 59 | return new Promise((resolve, reject) => { 60 | const envVars = configToEnvVars(config); > 61 | const env = { 62 | ...process.env, 63 | ...envVars
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.