@microsoft/rayfin-cli
Command-line interface for Rayfin platform
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Microsoft-published package; provenance is a best-practice enhancement, not a blocker. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is @vscode/deviceid, a Microsoft-owned package consistent with this CLI's Microsoft/VSCode ecosystem. | ai | |
| phantom-deps | phantom-dep:@microsoft/rayfin-guide | AI (phantom-deps): Same-org Microsoft package declared but not directly imported; consistent with template/docs pattern across versions. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are template scaffolding assets for a CLI tool; consistent with legitimate feature additions by a trusted Microsoft publisher. | ai | |
| dependencies | unvetted-dep:@azure/monitor-opentelemetry-exporter | AI (dependencies): First-party Microsoft/Azure telemetry package; beta label is expected for this SDK and consistent with the package's purpose. | ai | |
| phantom-deps | phantom-dep:@types/cli-progress | AI (phantom-deps): Type-only package; framework-scoped, expected pattern. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): CLI tool; tsx likely used as a dev/runtime script runner, referenced in config not direct imports. | ai | |
| phantom-deps | phantom-dep:@types/jsonwebtoken | AI (phantom-deps): Type-only package; framework-scoped, expected pattern. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Likely used transitively or in bundled dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:cli-progress | AI (phantom-deps): Likely used in bundled dist output; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): Likely used in bundled dist output; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api | AI (phantom-deps): Telemetry API likely consumed via re-exports or bundled dist; stable false positive. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.33.1 | 26 / 12 | |
| 1.33.0 | 26 / 12 | |
| 1.23.0 | 25 / 12 | |
| 1.22.0 | 24 / 12 | |
| 1.21.0 | 24 / 12 | |
| 1.20.1 | 23 / 12 | |
| 1.20.0 | 23 / 12 | |
| 1.19.0 | 23 / 12 | |
| 1.18.0 | 22 / 12 | |
| 1.17.0 | 22 / 11 | |
| 1.16.1 | 22 / 11 | |
| 1.16.0 | 22 / 11 | |
| 1.15.0 | 22 / 11 | |
| 1.14.0 | 22 / 11 |
v1.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.