@formatjs/cli — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

longlhoredonkuluspyrocat

Keywords

cliformatformatjsformattingglobalizationi18ninternationalizationintllocalelocalizationreactreact-intlreactjstranslatetranslation

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:bin/parse_script-3um9mN8Y.js	AI (source-diff): Bundled CLI binary (rolldown output); long lines are minified bundle, not obfuscation.	ai	2026/05/20
source-diff	net-exec-file:bin/parse_script-3um9mN8Y.js	AI (source-diff): Network+exec pattern in a CLI tool bundle is expected; no dropper indicators in the sample.	ai	2026/05/20
source-diff	obfuscated-file:bin/parse_script-Dh6HQV8l.js	AI (source-diff): Rolldown-bundled CLI artifact; long lines are minified bundle output, not obfuscation. Stable pattern for this package.	ai	2026/05/18
source-diff	net-exec-file:bin/parse_script-Dh6HQV8l.js	AI (source-diff): CLI tool legitimately makes network calls (e.g. fetching translations) and uses dynamic requires in bundled output; no dropper pattern visible.	ai	2026/05/18
typosquat	typosquat.levenshtein:joi	AI (typosquat): @formatjs/cli is a well-established i18n CLI tool, not a typosquat of joi; Levenshtein match is spurious.	ai	2026/04/29

Versions (showing 14 of 14)

Version	Deps	Published
6.16.9	0 / 0	2026-06-06
6.16.8	0 / 0	2026-06-05
6.16.7	0 / 0	2026-06-04
6.16.6	0 / 1	2026-05-28
6.16.5	0 / 1	2026-05-27
6.16.3	0 / 1	2026-05-22
6.16.2	0 / 1	2026-05-22
6.16.1	0 / 1	2026-05-19
6.16.0	0 / 1	2026-05-15
6.15.0	0 / 1	2026-05-12
6.14.5	0 / 1	2026-05-05
6.14.4	0 / 1	2026-04-29
6.14.3	0 / 1	2026-04-24
6.14.2	0 / 1	2026-04-13

v6.16.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.16.0

3 findings

HIGH New obfuscated file: bin/parse_script-3um9mN8Y.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: bin/parse_script-3um9mN8Y.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.15.0

3 findings

HIGH New obfuscated file: bin/parse_script-3um9mN8Y.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: bin/parse_script-3um9mN8Y.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.14.5

3 findings

HIGH New obfuscated file: bin/parse_script-Dh6HQV8l.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: bin/parse_script-Dh6HQV8l.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.14.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.14.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.