@hex-core/cli — Greenflagged

CLI for Hex UI — copy components into your project with one command.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

oscarcorona

Keywords

hex-coreclicomponent-libraryscaffoldingshadcn-alternative

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): All added deps are established packages appropriate for a CLI/theming tool; no malicious indicators.	ai	2026/05/31
phantom-deps	phantom-dep:zod	AI (phantom-deps): zod is a declared runtime dependency; phantom-dep heuristic fires on indirect/config usage, stable FP for this package.	ai	2026/05/14
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package @hex-core/cli is a CLI tool for a component library; Levenshtein match to 'joi' is purely coincidental with no impersonation intent.	ai	2026/04/25

Versions (showing 8 of 8)

Version	Deps	Published
0.8.0	8 / 5	2026-05-22
0.3.1	8 / 5	2026-04-30
0.3.0	7 / 5	2026-04-29
0.2.3	4 / 4	2026-04-28
0.2.2	4 / 4	2026-04-28
0.2.1	4 / 4	2026-04-27
0.2.0	4 / 4	2026-04-25
0.1.0	3 / 4	2026-04-24

v0.8.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oscarcorona.