@lpm-registry/cli
CLI for Licensed Package Manager
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Fetches platform-specific prebuilt binaries; matches optional deps pattern, standard for native CLI tools. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Passes process.env + LPM_TOKEN to child process; standard CLI token injection, not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Used in AES-GCM decryption (IV + authTag parsing); legitimate crypto, not payload obfuscation. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @lpm-registry/cli is not a typosquat of joi; false positive from edit-distance heuristic. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is a declared dependency; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:inquirer | AI (phantom-deps): inquirer is a declared dependency; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 0.44.0 | 13 / 4 | |
| 0.43.0 | 13 / 4 | |
| 0.42.0 | 13 / 4 | |
| 0.41.1 | 13 / 4 | |
| 0.41.0 | 13 / 4 | |
| 0.29.0 | 13 / 4 | |
| 0.27.0 | 13 / 4 | |
| 0.9.2 | 13 / 4 | |
| 0.7.0 | 13 / 4 | |
| 0.6.0 | 13 / 4 | |
| 0.3.0 | 13 / 4 | |
| 0.2.6 | 13 / 4 | |
| 0.2.5 | 13 / 4 | |
| 0.2.4 | 13 / 4 | |
| 0.2.3 | 13 / 4 | |
| 0.2.2 | 13 / 4 | |
| 0.2.1 | 13 / 4 | |
| 0.2.0 | 13 / 4 |
v0.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.42.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.41.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.