@digigov/cli-lint
Lint plugin for Digigov CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@vitest/eslint-plugin | AI (dependencies): Standard vitest ESLint plugin used as a lint tooling dependency; low risk for this package's purpose. | ai | |
| provenance | missing-githead | AI (provenance): Established package with 217 versions; publisher has 52 approved packages; no other risk signals present. | ai | |
| phantom-deps | phantom-dep:publint | AI (phantom-deps): Config-only tool; not imported directly by design. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config dep; referenced in config files, not imported directly. | ai | |
| phantom-deps | phantom-dep:@rushstack/eslint-patch | AI (phantom-deps): ESLint patch loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-css-modules | AI (phantom-deps): ESLint plugin used in config files, not imported directly. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.3.0 | 17 / 4 | |
| 2.2.3 | 17 / 4 | |
| 2.2.0 | 17 / 4 | |
| 2.1.0 | 17 / 4 | |
| 2.0.14 | 17 / 4 | |
| 2.0.9 | 17 / 4 | |
| 2.0.8 | 17 / 1 | |
| 2.0.6 | 17 / 1 | |
| 2.0.4 | 17 / 1 | |
| 2.0.2 | 17 / 1 |
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sotirangelo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sotirangelo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sotirangelo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sotirangelo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sotirangelo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.