@diplodoc/cli-tests
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@diplodoc/cli | AI (npm-metadata): file:.. is a devDependency for local monorepo development; not shipped to consumers. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation; consistent with org-level CI migration. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Test fixture package; missing metadata is expected for internal tooling. | ai | |
| dependencies | unvetted-dep:@diplodoc/liquid | AI (dependencies): Same-org dependency from diplodoc-platform; stable internal dep for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Test helper package; missing description is cosmetic and consistent across versions. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Test utility package; strip-ansi used in test helpers by convention. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is a build/dev tool loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type definitions package; loaded by TypeScript compiler by convention. | ai | |
| phantom-deps | phantom-dep:@diplodoc/liquid | AI (phantom-deps): Same-org dependency used in test fixtures; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-v8 | AI (phantom-deps): Vitest coverage plugin loaded by framework convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-istanbul | AI (phantom-deps): Vitest coverage plugin loaded by framework convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:ts-dedent | AI (phantom-deps): Test utility package; ts-dedent used in test files by convention. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Test utility package; js-yaml used in config/test files by convention. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Test utility package; glob used in config/test files by convention. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread in bin.mjs is passing process.env to a child process in a test runner — standard and intentional pattern. | ai |
Versions (showing 51 of 112)
| Version | Deps | Published |
|---|---|---|
| 5.43.0 | 10 / 1 | |
| 5.42.2 | 10 / 1 | |
| 5.42.1 | 10 / 1 | |
| 5.42.0 | 10 / 1 | |
| 5.41.0 | 10 / 1 | |
| 5.40.0 | 10 / 1 | |
| 5.39.8 | 10 / 1 | |
| 5.39.7 | 10 / 1 | |
| 5.39.6 | 10 / 1 | |
| 5.39.5 | 10 / 1 | |
| 5.39.4 | 10 / 1 | |
| 5.39.3 | 10 / 1 | |
| 5.39.2 | 10 / 1 | |
| 5.39.1 | 10 / 1 | |
| 5.39.0 | 10 / 1 | |
| 5.38.1 | 10 / 1 | |
| 5.38.0 | 10 / 1 | |
| 5.37.1 | 10 / 1 | |
| 5.37.0 | 10 / 1 | |
| 5.36.6 | 10 / 1 | |
| 5.36.5 | 10 / 1 | |
| 5.36.4 | 10 / 1 | |
| 5.36.3 | 10 / 1 | |
| 5.36.2 | 10 / 1 | |
| 5.36.1 | 10 / 1 | |
| 5.36.0 | 10 / 1 | |
| 5.35.3 | 10 / 1 | |
| 5.35.2 | 10 / 1 | |
| 5.35.1 | 10 / 1 | |
| 5.35.0 | 10 / 1 | |
| 5.34.8 | 10 / 1 | |
| 5.34.7 | 10 / 1 | |
| 5.34.6 | 10 / 1 | |
| 5.34.5 | 10 / 1 | |
| 5.34.4 | 10 / 1 | |
| 5.34.3 | 10 / 1 | |
| 5.34.2 | 10 / 1 | |
| 5.34.1 | 10 / 1 | |
| 5.34.0 | 10 / 1 | |
| 5.33.2 | 10 / 1 | |
| 5.33.1 | 10 / 1 | |
| 5.33.0 | 10 / 1 | |
| 5.32.1 | 10 / 1 | |
| 5.32.0 | 10 / 1 | |
| 5.31.2 | 10 / 1 | |
| 5.31.1 | 10 / 1 | |
| 5.31.0 | 10 / 1 | |
| 5.30.0 | 10 / 1 | |
| 5.29.0 | 10 / 1 | |
| 5.28.0 | 10 / 1 | |
| 5.27.4 | 10 / 1 |
v5.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.38.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.38.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.37.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/diplodoc-platform/cli/blob/0ea8b8dd51eb0f112b59c77dddd9f42e88db7adc/bin.mjs#L20 18 | { 19 | stdio: ['inherit', 'pipe', 'pipe'], > 20 | env: {...process.env, NODE_ENV: 'test'}, 21 | reject: false, 22 | },
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/diplodoc-platform/cli/blob/0ea8b8dd51eb0f112b59c77dddd9f42e88db7adc/fixtures/runners/binary.ts#L17 15 | all: true, 16 | reject: false, > 17 | env: {...process.env, ...env}, 18 | }); 19 | const report = {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.