@mandujs/cli
Agent-Native Fullstack Framework - 에이전트가 코딩해도 아키텍처가 무너지지 않는 개발 OS
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Package consistently lacks provenance attestation; not a per-version signal for this package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): All instances are in test files asserting that ../etc/passwd paths are sanitized/rejected — not credential harvesting. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Appears in test fixtures passing env to a subprocess with one extra debug var; standard test pattern. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1 in a Docker Compose healthcheck is a standard localhost probe, not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes base64-encoded source map data embedded in JS files — legitimate build tooling pattern. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @mandujs/cli package; edit-distance match to 'joi' is coincidental, not impersonation. | ai |
Versions (showing 51 of 92)
| Version | Deps | Published |
|---|---|---|
| 0.44.24 | 6 / 0 | |
| 0.44.23 | 6 / 0 | |
| 0.44.22 | 6 / 0 | |
| 0.44.21 | 6 / 0 | |
| 0.44.20 | 6 / 0 | |
| 0.44.19 | 6 / 0 | |
| 0.44.18 | 6 / 0 | |
| 0.44.15 | 6 / 0 | |
| 0.44.14 | 6 / 0 | |
| 0.44.13 | 6 / 0 | |
| 0.44.12 | 6 / 0 | |
| 0.44.11 | 6 / 0 | |
| 0.44.10 | 6 / 0 | |
| 0.44.9 | 6 / 0 | |
| 0.44.8 | 6 / 0 | |
| 0.44.7 | 6 / 0 | |
| 0.44.6 | 6 / 0 | |
| 0.44.5 | 6 / 0 | |
| 0.44.4 | 6 / 0 | |
| 0.44.3 | 6 / 0 | |
| 0.44.2 | 6 / 0 | |
| 0.42.2 | 6 / 0 | |
| 0.41.0 | 6 / 0 | |
| 0.21.1 | 5 / 0 | |
| 0.17.1 | 3 / 0 | |
| 0.15.2 | 2 / 0 | |
| 0.15.1 | 2 / 0 | |
| 0.15.0 | 2 / 0 | |
| 0.14.1 | 2 / 0 | |
| 0.12.1 | 2 / 0 | |
| 0.12.0 | 2 / 0 | |
| 0.11.0 | 2 / 0 | |
| 0.10.0 | 1 / 0 | |
| 0.9.46 | 1 / 0 | |
| 0.9.45 | 1 / 0 | |
| 0.9.44 | 1 / 0 | |
| 0.9.43 | 1 / 0 | |
| 0.9.42 | 1 / 0 | |
| 0.9.24 | 1 / 0 | |
| 0.9.23 | 1 / 0 | |
| 0.9.22 | 1 / 0 | |
| 0.9.21 | 1 / 0 | |
| 0.9.20 | 1 / 0 | |
| 0.9.19 | 1 / 0 | |
| 0.9.18 | 1 / 0 | |
| 0.9.17 | 1 / 0 | |
| 0.9.12 | 1 / 0 | |
| 0.9.11 | 1 / 0 | |
| 0.9.10 | 1 / 0 | |
| 0.9.9 | 1 / 0 | |
| 0.9.8 | 1 / 0 |
v0.44.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.44.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.42.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.41.0
15 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 116 | 117 | it("rejects relative URLs (no scheme)", () => { > 118 | const rendered = `${ESC}]8;;../etc/passwd${OSC_ST}path${ESC}]8;;${OSC_ST}`; 119 | const out = sanitizeOsc8(rendered); 120 | expect(out).not.toContain("../etc/passwd");
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 118 | const rendered = `${ESC}]8;;../etc/passwd${OSC_ST}path${ESC}]8;;${OSC_ST}`; 119 | const out = sanitizeOsc8(rendered); > 120 | expect(out).not.toContain("../etc/passwd"); 121 | expect(out).toContain("path"); 122 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 52 | * the default allow-list to `http`/`https` only because the same renderer 53 | * is used for AI chat output where attacker-influenced markdown could > 54 | * smuggle `file:///etc/passwd` links. Callers that legitimately display 55 | * local documentation links (e.g. `mandu docs`) must opt in explicitly. 56 | * Default: `false`.
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 123 | * local-documentation links, but the same renderer also outputs AI chat 124 | * responses where attacker-influenced markdown could smuggle a clickable > 125 | * `file:///etc/passwd` link. Callers that legitimately render local docs 126 | * must pass `{ allowFileScheme: true }` explicitly. 127 | */
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 286 | }; 287 | // /preset expects alphanumeric — "../etc" is rejected inside loadPreset > 288 | const result = await handleSlashCommand("/preset ../etc/shadow", state); 289 | // Should surface as an error OR a soft continue with a failure message, 290 | // never a successful load.
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 361 | it("/save rejects absolute paths with AI_PATH_ESCAPE", async () => { 362 | const state = makeState(tmpDir); > 363 | const evilPath = path.isAbsolute("/etc/passwd") 364 | ? "/etc/passwd" 365 | : "/tmp/evil.json";
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 362 | const state = makeState(tmpDir); 363 | const evilPath = path.isAbsolute("/etc/passwd") > 364 | ? "/etc/passwd" 365 | : "/tmp/evil.json"; 366 | const result = await handleSlashCommand(`/save ${evilPath}`, state);
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 382 | it("/save rejects '..' traversal with AI_PATH_ESCAPE", async () => { 383 | const state = makeState(tmpDir); > 384 | const result = await handleSlashCommand("/save ../../../etc/passwd", state); 385 | expect(result.kind).toBe("error"); 386 | if (result.kind === "error") {
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 391 | it("/load rejects absolute paths with AI_PATH_ESCAPE", async () => { 392 | const state = makeState(tmpDir); > 393 | const result = await handleSlashCommand("/load /etc/shadow", state); 394 | expect(result.kind).toBe("error"); 395 | if (result.kind === "error") {
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 409 | it("/system rejects absolute paths with AI_PATH_ESCAPE", async () => { 410 | const state = makeState(tmpDir); > 411 | const result = await handleSlashCommand("/system /etc/passwd", state); 412 | expect(result.kind).toBe("error"); 413 | if (result.kind === "error") {
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 418 | it("/system rejects '..' traversal with AI_PATH_ESCAPE", async () => { 419 | const state = makeState(tmpDir); > 420 | const result = await handleSlashCommand("/system ../../../etc/passwd", state); 421 | expect(result.kind).toBe("error"); 422 | if (result.kind === "error") {
Spreading entire process.env into an object — may capture all secrets 185 | cwd: dir, 186 | stdio: ["ignore", "pipe", "pipe"], > 187 | env: { ...process.env, MANDU_DEBUG_BOOT: "1" }, 188 | }); 189 | try {
Spreading entire process.env into an object — may capture all secrets 241 | cwd: dir, 242 | stdio: ["ignore", "pipe", "pipe"], > 243 | env: { ...process.env, MANDU_DEBUG_BOOT: "1" }, 244 | }); 245 | try {
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 152 | expect(resolveSkillPayload("mandu-nonexistent-skill")).toBeNull(); 153 | expect(resolveSkillPayload("")).toBeNull(); > 154 | expect(resolveSkillPayload("../etc/passwd")).toBeNull(); 155 | }); 156 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: oddeye.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.