@drupal-canvas/cli
CLI tool for managing Drupal Canvas code components
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Consistent with this package's pattern of phantom deps due to tsup bundling; same pattern accepted for many other deps in this package. | ai | |
| phantom-deps | phantom-dep:ajv-formats | AI (phantom-deps): Consistent with this package's pattern of phantom deps due to tsup bundling; same pattern accepted for many other deps in this package. | ai | |
| phantom-deps | phantom-dep:drupal-canvas | AI (phantom-deps): Same org/project scope; consistent with phantom-dep pattern for this package due to tsup bundling. | ai | |
| phantom-deps | phantom-dep:opentype.js | AI (phantom-deps): Legitimate font parsing library; consistent with phantom-dep pattern for this package due to tsup bundling. | ai | |
| phantom-deps | phantom-dep:unifont | AI (phantom-deps): Legitimate font utility library; consistent with phantom-dep pattern for this package due to tsup bundling. | ai | |
| phantom-deps | phantom-dep:woff2-encoder | AI (phantom-deps): Legitimate WOFF2 encoding library; consistent with phantom-dep pattern for this package due to tsup bundling. | ai | |
| phantom-deps | phantom-dep:vite | AI (phantom-deps): CLI tool bundled via tsup; declared deps may be used at build time or loaded dynamically. Pattern is consistent with a bundled CLI. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:@drupal-canvas/eslint-config | AI (phantom-deps): Same org scope; same bundled CLI pattern. Not a malicious signal. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:table | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:tailwindcss-in-browser | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:@clack/prompts | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:lightningcss | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:@swc/wasm | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Same bundled CLI pattern; not a malicious signal. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @drupal-canvas/cli has no relation to joi; Levenshtein match is a false positive based on coincidental string distance. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.18.0 | 23 / 11 | |
| 0.17.0 | 23 / 11 | |
| 0.16.1 | 23 / 10 | |
| 0.16.0 | 23 / 10 | |
| 0.15.1 | 22 / 10 | |
| 0.15.0 | 22 / 10 | |
| 0.14.0 | 22 / 10 | |
| 0.13.2 | 22 / 10 | |
| 0.13.1 | 22 / 10 | |
| 0.13.0 | 22 / 10 | |
| 0.12.0 | 22 / 10 | |
| 0.11.2 | 20 / 10 | |
| 0.11.1 | 20 / 10 | |
| 0.11.0 | 20 / 10 | |
| 0.10.0 | 15 / 10 | |
| 0.9.0 | 14 / 10 | |
| 0.8.1 | 14 / 10 | |
| 0.8.0 | 14 / 10 | |
| 0.7.3 | 14 / 10 | |
| 0.7.2 | 14 / 10 | |
| 0.6.2 | 13 / 15 | |
| 0.6.1 | 13 / 15 | |
| 0.6.0 | 13 / 15 | |
| 0.5.1 | 13 / 15 | |
| 0.5.0 | 13 / 15 | |
| 0.4.0 | 13 / 15 | |
| 0.3.0 | 13 / 15 | |
| 0.2.0 | 11 / 16 | |
| 0.1.1 | 10 / 16 |
v0.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.