@mars-stack/cli
MARS CLI: scaffold, configure, and maintain SaaS apps
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Flagged code is in Playwright E2E test config template files spreading process.env for test environment setup — standard, benign pattern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Flagged code is Prisma auto-generated WASM loader in template/prisma/generated — well-known legitimate Prisma pattern, not malicious. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Flagged code sets localhost (127.0.0.1:3000) in a unit test file — completely benign test fixture, not a real network request to a raw IP. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @mars-stack/cli is a scoped CLI package in the mars-stack monorepo; Levenshtein proximity to 'joi' is coincidental, not impersonation. | ai |
Versions (showing 86 of 86)
| Version | Deps | Published |
|---|---|---|
| 13.1.9 | 7 / 7 | |
| 13.1.8 | 7 / 7 | |
| 13.1.7 | 7 / 7 | |
| 13.1.4 | 7 / 7 | |
| 13.1.3 | 7 / 7 | |
| 13.1.2 | 7 / 7 | |
| 13.0.1 | 7 / 7 | |
| 13.0.0 | 7 / 7 | |
| 11.0.2 | 7 / 7 | |
| 11.0.1 | 7 / 7 | |
| 11.0.0 | 7 / 7 | |
| 10.0.0 | 7 / 7 | |
| 9.0.10 | 7 / 7 | |
| 9.0.9 | 7 / 7 | |
| 9.0.8 | 7 / 7 | |
| 9.0.7 | 7 / 7 | |
| 9.0.6 | 7 / 7 | |
| 9.0.5 | 7 / 7 | |
| 9.0.4 | 7 / 7 | |
| 9.0.3 | 7 / 7 | |
| 9.0.2 | 7 / 7 | |
| 9.0.1 | 7 / 7 | |
| 9.0.0 | 7 / 7 | |
| 8.0.37 | 7 / 7 | |
| 8.0.36 | 7 / 7 | |
| 8.0.35 | 7 / 7 | |
| 8.0.34 | 7 / 7 | |
| 8.0.33 | 7 / 7 | |
| 8.0.32 | 7 / 7 | |
| 8.0.31 | 7 / 7 | |
| 8.0.30 | 7 / 7 | |
| 8.0.29 | 7 / 7 | |
| 8.0.28 | 7 / 7 | |
| 8.0.27 | 7 / 7 | |
| 8.0.26 | 7 / 7 | |
| 8.0.25 | 7 / 7 | |
| 8.0.24 | 7 / 7 | |
| 8.0.23 | 7 / 7 | |
| 8.0.22 | 7 / 7 | |
| 8.0.21 | 7 / 7 | |
| 8.0.20 | 7 / 7 | |
| 8.0.19 | 7 / 7 | |
| 8.0.18 | 7 / 7 | |
| 8.0.17 | 7 / 7 | |
| 8.0.16 | 7 / 7 | |
| 8.0.15 | 7 / 7 | |
| 8.0.14 | 7 / 7 | |
| 8.0.13 | 7 / 7 | |
| 8.0.12 | 7 / 7 | |
| 8.0.11 | 7 / 7 | |
| 8.0.10 | 7 / 7 | |
| 8.0.9 | 7 / 7 | |
| 8.0.8 | 7 / 7 | |
| 8.0.7 | 7 / 7 | |
| 8.0.5 | 7 / 7 | |
| 8.0.4 | 7 / 7 | |
| 8.0.3 | 7 / 7 | |
| 8.0.2 | 7 / 7 | |
| 8.0.1 | 7 / 7 | |
| 8.0.0 | 7 / 7 | |
| 7.0.6 | 7 / 7 | |
| 7.0.5 | 7 / 7 | |
| 7.0.4 | 7 / 7 | |
| 7.0.3 | 7 / 7 | |
| 7.0.2 | 7 / 7 | |
| 7.0.1 | 7 / 7 | |
| 7.0.0 | 7 / 7 | |
| 6.0.4 | 7 / 7 | |
| 6.0.3 | 7 / 7 | |
| 6.0.2 | 7 / 7 | |
| 6.0.1 | 7 / 7 | |
| 6.0.0 | 7 / 7 | |
| 5.0.3 | 6 / 6 | |
| 5.0.1 | 6 / 6 | |
| 5.0.0 | 6 / 6 | |
| 4.0.3 | 6 / 6 | |
| 4.0.1 | 6 / 6 | |
| 4.0.0 | 6 / 6 | |
| 3.0.2 | 6 / 6 | |
| 3.0.1 | 6 / 6 | |
| 3.0.0 | 6 / 6 | |
| 2.0.1 | 6 / 6 | |
| 2.0.0 | 6 / 6 | |
| 1.0.2 | 6 / 6 | |
| 0.2.2 | 5 / 6 | |
| 0.2.0 | 5 / 6 |
v13.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.2
7 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/e2e-kitchen-sink/playwright.config.ts#L34 32 | reuseExistingServer: false, 33 | timeout: 240_000, > 34 | env: { ...process.env, MARS_CI_KITCHEN_SINK_E2E: '1' }, 35 | }, 36 | });
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/playwright.config.ts#L41 39 | reuseExistingServer: false, 40 | timeout: 180_000, > 41 | env: { ...process.env, MARS_CI_TEMPLATE_E2E: '1' }, 42 | } 43 | : {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/scripts/ensure-db.mjs#L70 68 | stdio: ['pipe', 'ignore', 'ignore'], 69 | timeout: 15000, > 70 | env: { ...process.env }, 71 | }); 72 | return true;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/scripts/ensure-db.mjs#L84 82 | stdio: 'inherit', 83 | timeout: 120000, > 84 | env: { ...process.env }, 85 | shell: true, 86 | });
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/scripts/playwright-web-server.mjs#L18 16 | stdio: 'inherit', 17 | shell: false, > 18 | env: { 19 | ...process.env, 20 | /** Same as CI `start-e2e-server.mjs` — parallel Playwright sign-ins exceed login RATE_LIMITS without this. */
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/greaveselliott/mars/blob/84ee4b216259a0a7e110b4bba7ba74ed5fefb431/template/scripts/start-e2e-server.mjs#L17 15 | cwd: ROOT, 16 | stdio: 'inherit', > 17 | env: { 18 | ...process.env, 19 | NODE_ENV: 'production',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.