@dcl/sdk-commands
CLI tools for Decentraland scene development.
4
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
decentralandbotimazzara
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@dcl/protocol | AI (dependencies): Pinned pre-release from Decentraland org; consistent pattern across SDK versions. | ai | |
| dependencies | unvetted-dep:@dcl/mini-comms | AI (dependencies): Pinned pre-release from Decentraland org; consistent pattern across SDK versions. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall conditionally runs only inside node_modules; documented SDK bootstrap pattern for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in postinstall for SDK scene bootstrapping; guarded by node_modules check, not malicious. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 7.23.3 | 38 / 6 | |
| 7.22.5 | 38 / 6 | |
| 7.22.4 | 38 / 6 | |
| 7.8.8 | 34 / 5 |
v7.23.3
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.22.4
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.8.8
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.