@fedify/cli — Greenflagged

CLI toolchain for Fedify and debugging ActivityPub

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hongminhee

Keywords

fedifyactivitypubclifediverse

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	rapid-publish	AI (publish-pattern): Automated CI/CD release pipeline with SLSA provenance; rapid publish is expected.	ai	2026/06/05
source-diff	source-size-dropped	AI (source-diff): Package intentionally restructured as a binary-fetching stub; size drop is expected and stable.	ai	2026/06/05
phantom-deps	phantom-dep:@standard-schema/spec	AI (phantom-deps): Type-only/config usage of @standard-schema/spec is expected; not a runtime import concern.	ai	2026/05/08
dependencies	unvetted-dep:icojs	AI (dependencies): ICO image parsing library; consistent with CLI avatar/icon handling use case.	ai	2026/05/08
dependencies	unvetted-dep:@poppanator/http-constants	AI (dependencies): HTTP constants utility; benign helper library for HTTP-based ActivityPub tooling.	ai	2026/05/08
dependencies	unvetted-dep:@jimp/wasm-webp	AI (dependencies): WebP image codec for jimp; consistent with image processing in ActivityPub CLI.	ai	2026/05/08
source-diff	large-new-source-files	AI (source-diff): New source files correspond to new features in v2 major release.	ai	2026/05/08
publish-pattern	new-deps-added	AI (publish-pattern): v2 major release with documented new features; SLSA provenance confirms CI/CD build integrity.	ai	2026/05/08
source-diff	source-size-tripled	AI (source-diff): Major version bump with 37 new deps; size increase is expected, not injected payload.	ai	2026/05/08
dependencies	unvetted-dep:@hongminhee/localtunnel	AI (dependencies): @hongminhee is the same author as this package (Hong Minhee); this is a first-party dependency.	ai	2026/04/27
publish-pattern	dormant-publish	AI (publish-pattern): Package has SLSA provenance attestation via CI/CD and a legitimate established repository (fedify-dev/fedify). 301 versions in registry confirms active development history; dormancy is a release cadence artifact, not a takeover signal.	ai	2026/04/27
provenance	slsa-provenance	AI (provenance): Package consistently published via CI/CD with SLSA provenance attestation; stable supply chain integrity signal for this package.	ai	2026/04/27
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs node src/install.mjs to set up platform-specific CLI binaries; consistent with declared os/cpu constraints and backed by SLSA provenance attestation.	ai	2026/04/27
phantom-deps	phantom-dep:fetch-mock	AI (phantom-deps): fetch-mock is a legitimate declared dependency used for testing/mocking in the CLI. Not a security concern.	ai	2026/04/25
phantom-deps	phantom-dep:inquirer	AI (phantom-deps): CLI tool; inquirer is a legitimate declared dependency. Phantom-dep finding is a false positive for this package.	ai	2026/04/25
typosquat	typosquat.levenshtein:joi	AI (typosquat): @fedify/cli is a scoped package for the Fedify ActivityPub framework; no relation to 'joi'. Levenshtein match is a false positive for this well-known package.	ai	2026/04/25
phantom-deps	phantom-dep:enquirer	AI (phantom-deps): CLI tool; enquirer is a legitimate declared dependency used conditionally or indirectly. Not a security concern.	ai	2026/04/25
phantom-deps	phantom-dep:@inquirer/prompts	AI (phantom-deps): @inquirer/prompts is a legitimate declared dependency for CLI prompts. Phantom-dep finding is a false positive.	ai	2026/04/25
phantom-deps	phantom-dep:inquirer-toggle	AI (phantom-deps): inquirer-toggle is a legitimate declared dependency for CLI prompts. Phantom-dep finding is a false positive.	ai	2026/04/25

Versions (showing 64 of 64)

Version	Deps	Published
2.2.4	38 / 4	2026-06-04
2.2.3	38 / 4	2026-05-20
2.2.2	38 / 4	2026-05-15
2.2.1	38 / 4	2026-05-10
2.2.0	38 / 4	2026-04-28
2.1.16	37 / 4	2026-06-05
2.1.15	37 / 4	2026-06-04
2.1.14	37 / 4	2026-05-20
2.1.13	37 / 4	2026-05-15
2.1.12	37 / 4	2026-05-10
2.1.11	37 / 4	2026-04-27
2.1.10	37 / 4	2026-04-23
2.1.9	37 / 4	2026-04-22
2.1.8	37 / 4	2026-04-22
2.1.7	37 / 4	2026-04-21
2.1.6	37 / 4	2026-04-20
2.1.5	37 / 4	2026-04-08
2.1.4	37 / 4	2026-04-07
2.1.3	37 / 4	2026-03-31
2.1.2	37 / 4	2026-03-28
2.1.1	37 / 4	2026-03-26
2.1.0	37 / 4	2026-03-24
2.0.20	37 / 4	2026-06-05
2.0.19	37 / 4	2026-06-04
2.0.18	37 / 4	2026-05-20
2.0.17	37 / 4	2026-05-15
2.0.16	37 / 4	2026-05-10
2.0.15	37 / 4	2026-04-27
2.0.14	37 / 4	2026-04-23
2.0.13	37 / 4	2026-04-22
2.0.12	37 / 4	2026-04-08
2.0.11	37 / 4	2026-04-07
2.0.10	37 / 4	2026-03-31
2.0.9	37 / 4	2026-03-28
2.0.8	37 / 4	2026-03-26
2.0.7	37 / 4	2026-03-22
2.0.6	37 / 4	2026-03-18
2.0.5	37 / 4	2026-03-11
2.0.4	37 / 4	2026-03-11
2.0.3	37 / 4	2026-03-03
2.0.2	37 / 4	2026-02-26
2.0.1	37 / 4	2026-02-24
2.0.0	37 / 4	2026-02-22
1.10.11	0 / 0	2026-06-04
1.10.8	0 / 0	2026-04-08
1.10.7	0 / 0	2026-04-07
1.10.5	0 / 0	2026-03-26
1.10.3	0 / 0	2026-01-31
1.10.2	0 / 0	2026-01-23
1.10.1	0 / 0	2026-01-21
1.10.0	0 / 0	2025-12-24
1.9.12	0 / 0	2026-06-04
1.9.10	0 / 0	2026-05-10
1.9.9	0 / 0	2026-04-08
1.9.8	0 / 0	2026-04-07
1.9.7	0 / 0	2026-03-28
1.9.6	0 / 0	2026-03-26
1.9.4	0 / 0	2026-01-23
1.9.3	0 / 0	2026-01-21
1.9.1	0 / 0	2025-10-31
1.7.16	0 / 0	2025-12-20
1.7.15	0 / 0	2025-12-20
1.7.14	0 / 0	2025-12-20
1.6.15	0 / 0	2025-12-20