@highstate/cli
The CLI for the Highstate project.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): SLSA provenance attestation provides stronger supply chain integrity than gitHead; acceptable for this package. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Build/config-time dep in a bundled CLI; not directly imported in source is expected. | ai | |
| phantom-deps | phantom-dep:tsup | AI (phantom-deps): Build tool dep; not directly imported in source is expected for a bundled CLI. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Used via config files in a bundled CLI; phantom detection is a false positive here. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @highstate/cli is not a typosquat of joi; Levenshtein match is spurious. | ai | |
| phantom-deps | phantom-dep:crypto-hash | AI (phantom-deps): Used in bundled CLI; phantom detection is a false positive here. | ai | |
| phantom-deps | phantom-dep:@pulumi/pulumi | AI (phantom-deps): Optional peer dep declared in peerDependenciesMeta; phantom finding is expected. | ai | |
| phantom-deps | phantom-dep:remeda | AI (phantom-deps): Utility lib used in bundled output; phantom detection is a false positive here. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 0.21.1 | 26 / 5 | |
| 0.20.0 | 26 / 6 | |
| 0.16.0 | 26 / 6 | |
| 0.14.0 | 23 / 5 | |
| 0.13.2 | 23 / 5 | |
| 0.13.1 | 23 / 5 | |
| 0.13.0 | 23 / 5 | |
| 0.12.1 | 23 / 5 | |
| 0.12.0 | 23 / 5 | |
| 0.11.7 | 23 / 5 | |
| 0.11.6 | 23 / 5 | |
| 0.11.5 | 23 / 5 | |
| 0.11.4 | 23 / 5 | |
| 0.11.3 | 23 / 5 | |
| 0.10.0 | 23 / 4 | |
| 0.9.37 | 23 / 4 | |
| 0.9.36 | 23 / 4 | |
| 0.9.35 | 23 / 4 | |
| 0.9.34 | 23 / 4 | |
| 0.9.33 | 23 / 4 | |
| 0.9.32 | 23 / 4 | |
| 0.9.31 | 23 / 4 | |
| 0.9.30 | 23 / 4 | |
| 0.9.29 | 23 / 4 | |
| 0.9.28 | 23 / 4 | |
| 0.9.27 | 23 / 4 | |
| 0.9.26 | 21 / 4 | |
| 0.9.25 | 21 / 4 | |
| 0.9.24 | 21 / 4 | |
| 0.9.23 | 21 / 4 | |
| 0.9.22 | 21 / 4 | |
| 0.9.21 | 21 / 4 | |
| 0.9.20 | 21 / 2 | |
| 0.9.19 | 21 / 2 | |
| 0.9.18 | 21 / 2 | |
| 0.9.16 | 20 / 2 | |
| 0.9.15 | 13 / 1 | |
| 0.9.14 | 13 / 1 | |
| 0.9.13 | 13 / 1 | |
| 0.9.12 | 13 / 1 | |
| 0.9.11 | 13 / 1 | |
| 0.9.10 | 13 / 1 | |
| 0.9.9 | 13 / 1 | |
| 0.9.8 | 13 / 1 | |
| 0.9.7 | 13 / 1 | |
| 0.9.6 | 13 / 1 | |
| 0.9.5 | 13 / 1 |
v0.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.