← Home

@doist/outline-cli

npm Repository Homepage

CLI for the Outline wiki/knowledge base API

8
Versions
MIT
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ricardoisthenningmujvalenteantondoistjefcurtisdoistbotfbidugoncalossilvaomar.doist.comitsevertvscottatdoisternestodoist

Keywords

outlinewikicli

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:marked AI (phantom-deps): marked is used indirectly via marked-terminal-renderer; phantom-dep heuristic fires on indirect usage patterns. ai
phantom-deps phantom-dep:oauth4webapi AI (phantom-deps): oauth4webapi likely consumed via @doist/cli-core OAuth abstraction; indirect import pattern. ai
phantom-deps phantom-dep:marked-terminal-renderer AI (phantom-deps): Renderer likely passed as config/plugin to marked rather than directly imported; phantom-dep heuristic false positive. ai
provenance publisher-changed AI (provenance): Doist org moved to GitHub Actions CI publishing; SLSA provenance attestation confirms legitimate automated release. ai
install-scripts install-script:postinstall AI (install-scripts): Doist org CLI with SLSA provenance; postinstall runs a local JS script, consistent with legitimate CLI setup. ai

Versions (showing 8 of 8)

Version Deps Published
1.9.0 8 / 10
1.5.1 7 / 10
1.5.0 7 / 10
1.3.0 7 / 10
1.0.2 7 / 13
1.0.1 6 / 13
1.0.0 6 / 12
0.0.1 0 / 0

v1.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.5.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.2

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

HIGH Publisher changed: ricardoist → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

HIGH Publisher changed: ricardoist → GitHub Actions (on 2026-03-25) provenance

This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.