@diplodoc/cli-tests
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@diplodoc/cli | AI (npm-metadata): file:.. is a devDependency for local monorepo development; not shipped to consumers. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation; consistent with org-level CI migration. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Test fixture package; missing metadata is expected for internal tooling. | ai | |
| dependencies | unvetted-dep:@diplodoc/liquid | AI (dependencies): Same-org dependency from diplodoc-platform; stable internal dep for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Test helper package; missing description is cosmetic and consistent across versions. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Test utility package; strip-ansi used in test helpers by convention. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is a build/dev tool loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type definitions package; loaded by TypeScript compiler by convention. | ai | |
| phantom-deps | phantom-dep:@diplodoc/liquid | AI (phantom-deps): Same-org dependency used in test fixtures; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-v8 | AI (phantom-deps): Vitest coverage plugin loaded by framework convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-istanbul | AI (phantom-deps): Vitest coverage plugin loaded by framework convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:ts-dedent | AI (phantom-deps): Test utility package; ts-dedent used in test files by convention. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Test utility package; js-yaml used in config/test files by convention. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Test utility package; glob used in config/test files by convention. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread in bin.mjs is passing process.env to a child process in a test runner — standard and intentional pattern. | ai |
Versions (showing 100 of 112)
| Version | Deps | Published |
|---|---|---|
| 5.43.0 | 10 / 1 | |
| 5.42.2 | 10 / 1 | |
| 5.42.1 | 10 / 1 | |
| 5.42.0 | 10 / 1 | |
| 5.41.0 | 10 / 1 | |
| 5.40.0 | 10 / 1 | |
| 5.39.8 | 10 / 1 | |
| 5.39.7 | 10 / 1 | |
| 5.39.6 | 10 / 1 | |
| 5.39.5 | 10 / 1 | |
| 5.39.4 | 10 / 1 | |
| 5.39.3 | 10 / 1 | |
| 5.39.2 | 10 / 1 | |
| 5.39.1 | 10 / 1 | |
| 5.39.0 | 10 / 1 | |
| 5.38.1 | 10 / 1 | |
| 5.38.0 | 10 / 1 | |
| 5.37.1 | 10 / 1 | |
| 5.37.0 | 10 / 1 | |
| 5.36.6 | 10 / 1 | |
| 5.36.5 | 10 / 1 | |
| 5.36.4 | 10 / 1 | |
| 5.36.3 | 10 / 1 | |
| 5.36.2 | 10 / 1 | |
| 5.36.1 | 10 / 1 | |
| 5.36.0 | 10 / 1 | |
| 5.35.3 | 10 / 1 | |
| 5.35.2 | 10 / 1 | |
| 5.35.1 | 10 / 1 | |
| 5.35.0 | 10 / 1 | |
| 5.34.8 | 10 / 1 | |
| 5.34.7 | 10 / 1 | |
| 5.34.6 | 10 / 1 | |
| 5.34.5 | 10 / 1 | |
| 5.34.4 | 10 / 1 | |
| 5.34.3 | 10 / 1 | |
| 5.34.2 | 10 / 1 | |
| 5.34.1 | 10 / 1 | |
| 5.34.0 | 10 / 1 | |
| 5.33.2 | 10 / 1 | |
| 5.33.1 | 10 / 1 | |
| 5.33.0 | 10 / 1 | |
| 5.32.1 | 10 / 1 | |
| 5.32.0 | 10 / 1 | |
| 5.31.2 | 10 / 1 | |
| 5.31.1 | 10 / 1 | |
| 5.31.0 | 10 / 1 | |
| 5.30.0 | 10 / 1 | |
| 5.29.0 | 10 / 1 | |
| 5.28.0 | 10 / 1 | |
| 5.27.4 | 10 / 1 | |
| 5.27.3 | 10 / 1 | |
| 5.27.2 | 10 / 1 | |
| 5.27.1 | 10 / 1 | |
| 5.27.0 | 10 / 1 | |
| 5.26.2 | 10 / 1 | |
| 5.26.1 | 10 / 1 | |
| 5.26.0 | 10 / 1 | |
| 5.25.4 | 10 / 1 | |
| 5.25.3 | 10 / 1 | |
| 5.25.2 | 10 / 1 | |
| 5.25.1 | 10 / 1 | |
| 5.25.0 | 10 / 1 | |
| 5.24.3 | 10 / 1 | |
| 5.24.2 | 10 / 1 | |
| 5.24.1 | 10 / 1 | |
| 5.24.0 | 10 / 1 | |
| 5.23.1 | 10 / 1 | |
| 5.19.10 | 10 / 1 | |
| 5.15.7 | 10 / 1 | |
| 5.15.5 | 10 / 1 | |
| 5.15.4 | 10 / 1 | |
| 5.15.3 | 10 / 1 | |
| 5.15.2 | 10 / 1 | |
| 5.15.1 | 10 / 1 | |
| 5.15.0 | 10 / 1 | |
| 5.14.1 | 10 / 1 | |
| 5.14.0 | 10 / 1 | |
| 5.13.3 | 10 / 1 | |
| 5.13.2 | 10 / 1 | |
| 5.13.1 | 10 / 1 | |
| 5.13.0 | 10 / 1 | |
| 5.12.5 | 10 / 1 | |
| 5.12.4 | 10 / 1 | |
| 5.12.3 | 10 / 1 | |
| 5.12.2 | 10 / 1 | |
| 5.12.1 | 10 / 1 | |
| 5.12.0 | 10 / 1 | |
| 5.11.6 | 10 / 1 | |
| 5.11.5 | 10 / 1 | |
| 5.11.4 | 10 / 1 | |
| 5.11.3 | 10 / 1 | |
| 5.11.2 | 10 / 1 | |
| 5.11.1 | 10 / 1 | |
| 5.11.0 | 10 / 1 | |
| 5.10.3 | 10 / 1 | |
| 5.10.2 | 10 / 1 | |
| 5.10.1 | 10 / 1 | |
| 5.10.0 | 10 / 1 | |
| 5.9.5 | 10 / 1 |
v5.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.42.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.38.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.38.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.37.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.36.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/diplodoc-platform/cli/blob/0ea8b8dd51eb0f112b59c77dddd9f42e88db7adc/bin.mjs#L20 18 | { 19 | stdio: ['inherit', 'pipe', 'pipe'], > 20 | env: {...process.env, NODE_ENV: 'test'}, 21 | reject: false, 22 | },
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/diplodoc-platform/cli/blob/0ea8b8dd51eb0f112b59c77dddd9f42e88db7adc/fixtures/runners/binary.ts#L17 15 | all: true, 16 | reject: false, > 17 | env: {...process.env, ...env}, 18 | }); 19 | const report = {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.26.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.23.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.19.10
2 findingsThis version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.15.7
2 findingsThis version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.15.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.