@earendil-works/pi-tui — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mitsuhikobadlogicrwachtler

Keywords

tuiterminaluitext-editordifferential-renderingtypescriptcli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	bundled-binaries	AI (npm-metadata): Win32 console-mode .node files are expected native bindings for a TUI library; stable pattern for this package.	ai	2026/05/24
phantom-deps	phantom-dep:chalk	AI (phantom-deps): Config-file reference; stable pattern for this package.	ai	2026/05/18
phantom-deps	phantom-dep:mime-types	AI (phantom-deps): Config-file reference; stable pattern for this package.	ai	2026/05/18
phantom-deps	phantom-dep:@types/mime-types	AI (phantom-deps): Framework-scoped convention; stable pattern for this package.	ai	2026/05/18

Versions (showing 10 of 10)

Version	Deps	Published
0.76.0	2 / 2	2026-05-27
0.75.5	2 / 3	2026-05-23
0.75.4	2 / 3	2026-05-20
0.75.3	2 / 3	2026-05-18
0.75.2	2 / 3	2026-05-18
0.75.1	2 / 3	2026-05-18
0.75.0	2 / 3	2026-05-17
0.74.2	2 / 3	2026-05-21
0.74.1	2 / 3	2026-05-16
0.74.0	5 / 2	2026-05-07

v0.76.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: badlogic → mitsuhiko (on 2026-05-27, known maintainer) provenance

This version was published by a different npm account (mitsuhiko) than the most recent previously approved version (badlogic) on 2026-05-27, but mitsuhiko is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.75.5

2 findings

HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • native/win32/prebuilds/win32-arm64/win32-console-mode.node • native/win32/prebuilds/win32-x64/win32-console-mode.node

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.75.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.74.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.74.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.74.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.