@junobuild/cli
The Juno command-line interface
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@junobuild/functions-tools | AI (phantom-deps): Same org scope; phantom-dep pattern matches other accepted @junobuild deps in this package. | ai | |
| dependencies | unvetted-dep:@junobuild/functions-tools | AI (dependencies): Same org scope (@junobuild); consistent with the rest of the accepted @junobuild deps in this package. | ai | |
| dependencies | unvetted-dep:@junobuild/schema | AI (dependencies): Same org scope (@junobuild); consistent with the rest of the accepted @junobuild deps in this package. | ai | |
| phantom-deps | phantom-dep:@dfinity/principal | AI (phantom-deps): Same bundled CLI pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dfinity/identity | AI (phantom-deps): Same bundled CLI pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dfinity/candid | AI (phantom-deps): Same bundled CLI pattern; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@dfinity/ic-management | AI (dependencies): Legitimate DFINITY SDK package; consistent with Juno's ICP toolchain across all versions. | ai | |
| phantom-deps | phantom-dep:@dfinity/agent | AI (phantom-deps): Bundled CLI; DFINITY deps consumed indirectly via esbuild bundle, not direct imports. | ai | |
| phantom-deps | phantom-dep:@dfinity/ic-management | AI (phantom-deps): Same bundled CLI pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dfinity/auth-client | AI (phantom-deps): Same bundled CLI pattern; stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Package now publishes via GitHub Actions CI with SLSA attestation; this is the expected automated publisher pattern for the junobuild org. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 197-version package with SLSA provenance; dormancy likely reflects release cadence, not account takeover. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): esbuild-bundled CLI; encoded strings are Candid/ICP codec artifacts, not obfuscated payloads. | ai | |
| dependencies | unvetted-dep:@junobuild/did-tools | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/cdn | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/core | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/admin | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/utils | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/config | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/cli-tools | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/config-loader | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@junobuild/storage | AI (dependencies): First-party @junobuild org dependency; stable pattern across all versions of this CLI. | ai | |
| dependencies | unvetted-dep:@icp-sdk/core | AI (dependencies): ICP SDK ecosystem dependency used throughout junobuild toolchain; expected dependency. | ai | |
| dependencies | unvetted-dep:@icp-sdk/canisters | AI (dependencies): ICP SDK ecosystem dependency used throughout junobuild toolchain; expected dependency. | ai | |
| dependencies | unvetted-dep:@dfinity/zod-schemas | AI (dependencies): DFINITY org schema validation library; expected in ICP/junobuild ecosystem. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): CLI tool likely uses zod transitively via config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@dfinity/zod-schemas | AI (phantom-deps): Declared dep used via config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@junobuild/did-tools | AI (phantom-deps): Same org scope; used via config/build pipeline, not direct import. | ai | |
| phantom-deps | phantom-dep:@junobuild/config-loader | AI (phantom-deps): Same org scope; used via config/build pipeline, not direct import. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @junobuild/cli; Levenshtein match to 'joi' is a false positive with no brand overlap. | ai | |
| phantom-deps | phantom-dep:prompts | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:conf | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:@junobuild/admin | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/core | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/utils | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/schema | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@icp-sdk/canisters | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:@junobuild/storage | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/cli-tools | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/ic-client | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@junobuild/cdn | AI (phantom-deps): Same-org scoped dep in bundled CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:@dfinity/utils | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:terminal-link | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:@icp-sdk/core | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:portfinder | AI (phantom-deps): Bundled CLI via esbuild; phantom-dep heuristic unreliable for bundled packages. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 0.15.5 | 22 / 16 | |
| 0.15.4 | 22 / 16 | |
| 0.14.4 | 22 / 16 | |
| 0.13.8 | 23 / 16 | |
| 0.13.6 | 23 / 16 | |
| 0.13.5 | 23 / 16 | |
| 0.13.4 | 23 / 16 | |
| 0.13.3 | 23 / 16 | |
| 0.13.2 | 23 / 16 | |
| 0.12.2 | 23 / 16 | |
| 0.12.1 | 23 / 16 | |
| 0.12.0 | 23 / 16 | |
| 0.11.1 | 23 / 16 | |
| 0.11.0 | 23 / 16 | |
| 0.2.15 | 21 / 15 |
v0.15.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.8
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.6
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.5
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.3
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
3 findingsThis version was published by a different npm account than previous versions on 2025-11-23. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.