@lightdash/cli — Greenflagged

Lightdash CLI tool

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

ligthdash_javierjose-lightdashowlaslight-irakli

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:ajv-formats	AI (phantom-deps): ajv-formats is a peer/plugin of ajv; loaded by convention, not direct import. Stable false positive for this package.	ai	2026/05/26
dependencies	unvetted-dep:@types/columnify	AI (dependencies): @types/columnify is a type-definition-only package with no runtime impact; stable false positive for this package.	ai	2026/05/14
install-scripts	install-script:preinstall	AI (install-scripts): Runs bundled track.sh for install telemetry; file is explicitly listed in package files, not a remote fetch.	ai	2026/04/29
install-scripts	install-script:postinstall	AI (install-scripts): Same track.sh telemetry pattern; stable across Lightdash CLI versions.	ai	2026/04/29
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped @lightdash/cli package; Levenshtein match to 'joi' is a false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@types/columnify	AI (phantom-deps): @types packages are type-only and not directly imported at runtime; stable false positive for this package.	ai	2026/04/29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.