@doist/todoist-cli
TypeScript CLI for Todoist
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:oauth4webapi | AI (phantom-deps): Likely used indirectly via @doist/cli-core or dynamic import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Rendering dependency likely loaded conditionally; stable false positive for this CLI package. | ai | |
| phantom-deps | phantom-dep:marked-terminal-renderer | AI (phantom-deps): Paired with marked for terminal rendering; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@napi-rs/keyring | AI (phantom-deps): Native keyring binding likely loaded conditionally at runtime; stable false positive for this CLI. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA provenance from official Doist org repo; expected pattern. | ai | |
| source-diff | obfuscated-file:dist/lib/skills/content.d.ts | AI (source-diff): Long line is a readable string constant (CLI help text), not obfuscated code. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): CLI tool using @pnpm/tabtab; postinstall runs bundled scripts/postinstall.js for tab-completion setup — stable pattern for this package. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 1.71.0 | 11 / 11 | |
| 1.60.3 | 10 / 11 | |
| 1.60.0 | 10 / 11 | |
| 1.59.0 | 10 / 11 | |
| 1.30.0 | 10 / 11 | |
| 1.29.5 | 10 / 11 | |
| 1.20.0 | 9 / 7 | |
| 1.16.0 | 9 / 7 | |
| 1.14.0 | 9 / 7 | |
| 1.13.0 | 9 / 7 | |
| 1.12.0 | 8 / 7 | |
| 1.11.0 | 8 / 7 | |
| 1.10.0 | 8 / 7 | |
| 1.9.0 | 8 / 7 | |
| 1.8.1 | 8 / 7 | |
| 1.8.0 | 8 / 7 | |
| 1.7.0 | 8 / 7 | |
| 1.6.1 | 8 / 7 | |
| 1.6.0 | 8 / 7 | |
| 1.5.0 | 7 / 7 | |
| 1.4.0 | 7 / 7 | |
| 1.3.0 | 7 / 7 | |
| 1.2.0 | 7 / 7 | |
| 1.1.2 | 7 / 7 |
v1.71.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.3
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.0
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.0
4 findingsScript: node scripts/postinstall.js
This version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.29.5
4 findingsScript: node scripts/postinstall.js
This version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.20.0
4 findingsScript: node dist/postinstall.js || true
This version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.16.0
4 findingsScript: node dist/postinstall.js || true
This version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
3 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.1
3 findingsThis version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
3 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
3 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.0
3 findingsThis version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
3 findingsThis version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.