@flxbl-io/sfp — Greenflagged

sfp is a CLI tool to help you manage your Salesforce projects in an artifact centric model

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

azlamsalam

Keywords

flxbliosfp-clisfdxsfdx-pluginsalesforcesfsf-pluginorchestrator

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Established CLI tool; provenance absence is common and not a risk signal here.	ai	2026/05/14
dependencies	unvetted-dep:antlr4ts	AI (dependencies): Apex parser dependency; expected for Salesforce tooling.	ai	2026/05/14
dependencies	unvetted-dep:handlebars	AI (dependencies): Template rendering; standard utility dep for CLI tools.	ai	2026/05/14
dependencies	unvetted-dep:markdown-table-ts	AI (dependencies): Markdown formatting utility; low risk.	ai	2026/05/14
dependencies	unvetted-dep:@newrelic/telemetry-sdk	AI (dependencies): Metrics/telemetry integration; expected for a DevOps CLI.	ai	2026/05/14
dependencies	unvetted-dep:@flxbl-io/sfdx-process-wrapper	AI (dependencies): First-party dependency from same org (flxbl-io).	ai	2026/05/14
phantom-deps	phantom-dep:@oclif/plugin-commands	AI (phantom-deps): oclif plugin declared in oclif.plugins config, not directly imported in code; expected pattern.	ai	2026/05/09
typosquat	typosquat.levenshtein:yup	AI (typosquat): Scoped package @flxbl-io/sfp is a Salesforce DevOps CLI; no resemblance to yup in purpose or namespace.	ai	2026/05/09
phantom-deps	phantom-dep:pino-abstract-transport	AI (phantom-deps): pino transport loaded dynamically via pino config; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:@salesforce/schemas	AI (phantom-deps): Schema package used via config/validation layer; stable false positive for this package.	ai	2026/05/09
semgrep	semgrep:child-process-import	AI (semgrep): Git/SFDX orchestration CLI legitimately uses child_process for git and sfdx command execution.	ai	2026/05/09
phantom-deps	phantom-dep:pino	AI (phantom-deps): pino is a declared runtime dep used via config/logger abstraction layer, not direct import.	ai	2026/05/09
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): dotenv loaded via config bootstrapping, not direct import; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:handlebars	AI (phantom-deps): handlebars used via template rendering abstraction; stable false positive for this package.	ai	2026/05/09
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): oclif plugin declared in oclif.plugins config, not directly imported in code; expected pattern.	ai	2026/05/09

Versions (showing 3 of 3)

Version	Deps	Published
39.8.0	51 / 30	2025-08-25
39.7.0	51 / 30	2025-08-25
39.6.1	51 / 29	2025-06-30

v39.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v39.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v39.6.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.