@devvit/cli — Greenflagged

Reddit's Dev Platform CLI Tool

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

marcuswood23niedzielskidevvit-cli-botvedredditcolacadstinkgunschkrakabeksecurimancer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:ps-node	AI (dependencies): ps-node is a legitimate process-listing utility appropriate for a CLI tool; stable dependency across versions.	ai	2026/05/17
phantom-deps	phantom-dep:lookpath	AI (phantom-deps): Binary lookup utility used indirectly; stable false positive for this CLI package.	ai	2026/05/11
phantom-deps	phantom-dep:listr	AI (phantom-deps): CLI task-runner loaded dynamically; stable pattern for this package.	ai	2026/05/11
phantom-deps	phantom-dep:tsv	AI (phantom-deps): Referenced in config/build context for oclif CLI; not a direct import by design.	ai	2026/05/11
phantom-deps	phantom-dep:get-port	AI (phantom-deps): Port utility used indirectly in CLI dev server flow; stable false positive.	ai	2026/05/11
phantom-deps	phantom-dep:ps-node	AI (phantom-deps): Process utility used indirectly; consistent with CLI tooling pattern.	ai	2026/05/11
dependencies	unvetted-dep:@devvit/play	AI (dependencies): First-party @devvit/* scoped package from the same publisher; consistent with the rest of the dependency tree.	ai	2026/05/11
dependencies	unvetted-dep:twirp-ts	AI (dependencies): Stable gRPC/Twirp transport dep used consistently across devvit CLI versions.	ai	2026/05/01
dependencies	unvetted-dep:@devvit/build-pack	AI (dependencies): First-party sibling package in the @devvit monorepo; stable pattern across all versions.	ai	2026/05/01
provenance	no-provenance	AI (provenance): Established Reddit-owned CLI; lack of Sigstore provenance is consistent across all prior versions.	ai	2026/05/01
phantom-deps	phantom-dep:@oclif/plugin-warn-if-update-available	AI (phantom-deps): oclif plugins are loaded by convention via oclif config, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-autocomplete	AI (phantom-deps): oclif plugins are loaded by convention via oclif config, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-not-found	AI (phantom-deps): oclif plugins are loaded by convention via oclif config, not direct imports.	ai	2026/04/29
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped @devvit/cli package from Reddit's dev platform; levenshtein match to 'joi' is a false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): oclif plugins are loaded by convention via oclif config, not direct imports.	ai	2026/04/29
phantom-deps	phantom-dep:@types/ws	AI (phantom-deps): Type-only package for ws; used at compile time, not directly imported at runtime.	ai	2026/04/29

Versions (showing 21 of 21)

Version	Deps	Published
0.12.24	36 / 15	2026-05-18
0.12.23	36 / 15	2026-05-11
0.12.22	36 / 15	2026-05-01
0.12.21	36 / 15	2026-04-27
0.12.20	36 / 15	2026-04-20
0.12.19	36 / 15	2026-04-13
0.12.18	36 / 15	2026-04-06
0.12.17	36 / 15	2026-03-30
0.12.16	36 / 15	2026-03-23
0.12.15	36 / 15	2026-03-16
0.12.14	36 / 15	2026-03-09
0.12.13	34 / 15	2026-02-17
0.12.8	32 / 14	2026-01-12
0.12.6	31 / 14	2025-12-15
0.12.5	31 / 14	2025-12-02
0.12.3	31 / 14	2025-11-17
0.12.2	31 / 14	2025-11-12
0.12.1	31 / 14	2025-10-13
0.11.18	32 / 15	2025-07-01
0.11.16	34 / 19	2025-05-27
0.11.15	34 / 19	2025-05-08

v0.12.24

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.23

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.22

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.20

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.19

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.18

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.