@hubspot/cli-lib
Library for creating scripts for working with HubSpot
1
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
jonmiller_hstscalesrsegurahemangthakkartamarayujyeager_hubspotcamdenphalenbmatto_hselingyralonso-cadenasjsinestfinley_hsmshannon_hsarota-hubspotbbarbosa-hubspotservice-ccskemmerlebandersonalsorberdeen-hubspotharminder01bkrainer-hsfrissjhilkeratanasiukksvirkou-hubspotkbreeman-hubspotbrodgers16
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately uses child_process.fork for JS field processing; stable pattern across versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require on a file path is expected for a CLI lib that loads user-defined field JS files. | ai | |
| phantom-deps | phantom-dep:jest | AI (phantom-deps): jest is listed as a runtime dep (unusual but intentional) and referenced in package.json scripts; stable false positive. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 9.1.1 | 18 / 3 |