@elliemae/pui-cli — Greenflagged

ICE MT UI Platform CLI

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

encw.dev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:rimraf	AI (phantom-deps): Build-tool dependency; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:raf	AI (phantom-deps): Build-tool dependency; referenced in config files, stable pattern for this package.	ai	2026/05/11
phantom-deps	phantom-dep:pino	AI (phantom-deps): Config-referenced logging dependency; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:plop	AI (phantom-deps): Config-referenced code-generation tool; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Config-referenced utility; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:husky	AI (phantom-deps): Git-hooks tool referenced in config; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:jsdoc	AI (phantom-deps): Documentation tool referenced in config; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:lerna	AI (phantom-deps): Monorepo tool referenced in config; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:moment	AI (phantom-deps): Config-referenced date library; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:prisma	AI (phantom-deps): Config-referenced ORM tool; stable for this package.	ai	2026/05/11
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Config-referenced; used via CLI and type-checking, not direct imports.	ai	2026/05/04
phantom-deps	phantom-dep:@babel/core	AI (phantom-deps): Framework plugin; loaded by convention via .babelrc config.	ai	2026/05/04
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type definitions; loaded by convention, not imported.	ai	2026/05/04
phantom-deps	phantom-dep:@storybook/react	AI (phantom-deps): Storybook plugin loaded by config; stable for this package.	ai	2026/05/04
phantom-deps	phantom-dep:webpack-cli	AI (phantom-deps): Build tool referenced in config; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:eslint	AI (phantom-deps): Linter referenced in config; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:msw	AI (phantom-deps): Build/test tool referenced in config; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:pug	AI (phantom-deps): Template loader referenced in webpack config; stable pattern for this package.	ai	2026/05/04
phantom-deps	phantom-dep:tsx	AI (phantom-deps): CLI invoked via scripts; stable pattern for this package.	ai	2026/05/04
provenance	no-provenance	AI (provenance): Large established corporate package; no provenance is consistent with all prior versions.	ai	2026/04/29

Versions (showing 11 of 11)

Version	Deps	Published
8.62.1	222 / 6	2026-05-20
8.62.0	222 / 6	2026-04-27
8.55.6	224 / 6	2025-11-04
8.55.5	224 / 6	2025-11-04
8.55.3	224 / 6	2025-11-03
8.53.0	224 / 6	2025-08-01
8.52.4	224 / 6	2025-07-16
8.52.3	224 / 6	2025-07-14
8.52.2	223 / 6	2025-07-10
8.52.1	223 / 6	2025-06-06
8.52.0	223 / 6	2025-06-03

v8.62.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: encw.dev.