@hanzogui/cli — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

artemis-primezeekay

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped @hanzogui org CLI tool; Levenshtein match to 'joi' is coincidental, not impersonation.	ai	2026/05/19
phantom-deps	phantom-dep:@hanzogui/vite-plugin	AI (phantom-deps): Same-org workspace dep; phantom-dep heuristic unreliable for monorepo workspace packages.	ai	2026/05/19
phantom-deps	phantom-dep:@hanzogui/create-theme	AI (phantom-deps): Same-org workspace dep; phantom-dep heuristic unreliable for monorepo workspace packages.	ai	2026/05/19
phantom-deps	phantom-dep:esbuild	AI (phantom-deps): CLI build tool; esbuild is a known implicit runtime/binary dependency pattern.	ai	2026/05/19
phantom-deps	phantom-dep:typescript	AI (phantom-deps): CLI invokes tsc/ts-morph; typescript used implicitly as a runtime tool.	ai	2026/05/19
phantom-deps	phantom-dep:express	AI (phantom-deps): Dev server CLI; express likely used via config/dynamic require pattern.	ai	2026/05/19
phantom-deps	phantom-dep:get-port	AI (phantom-deps): Dev server CLI; get-port used alongside express, consistent with config-driven usage.	ai	2026/05/19
phantom-deps	phantom-dep:url	AI (phantom-deps): Node built-in polyfill; commonly referenced in config without direct import.	ai	2026/05/19

Versions (showing 5 of 5)

Version	Deps	Published
7.0.0	21 / 4	2026-04-27
4.3.1	21 / 4	2026-04-08
3.0.6	21 / 4	2026-03-29
2.0.1	21 / 4	2026-03-25
2.0.0	21 / 4	2026-03-24