← Home

@mingto/mt-cli

npm

明途脚手架工具

13
Versions
ISC
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

minto_marketing

Keywords

cli

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:node-emoji AI (phantom-deps): Emoji support; standard CLI tool dependency. ai
phantom-deps phantom-dep:chalk AI (phantom-deps): Terminal color library; standard CLI tool dependency. ai
phantom-deps phantom-dep:globby AI (phantom-deps): File globbing; legitimate scaffolding tool dependency. ai
phantom-deps phantom-dep:semver AI (phantom-deps): Version parsing; standard CLI tool dependency. ai
phantom-deps phantom-dep:inquirer AI (phantom-deps): Interactive prompts; core scaffolding tool library. ai
phantom-deps phantom-dep:commander AI (phantom-deps): CLI argument parsing; standard CLI tool dependency. ai
phantom-deps phantom-dep:form-data AI (phantom-deps): Form data handling; legitimate CLI dependency. ai
phantom-deps phantom-dep:ora AI (phantom-deps): CLI spinner library; declared and used in scaffolding tool. ai
phantom-deps phantom-dep:axios AI (phantom-deps): HTTP client; legitimate CLI dependency. ai
phantom-deps phantom-dep:boxen AI (phantom-deps): CLI box drawing; standard scaffolding tool dependency. ai
phantom-deps phantom-dep:fast-glob AI (phantom-deps): Used transitively by globby; stable false positive for this package. ai
phantom-deps phantom-dep:picocolors AI (phantom-deps): Used by build/CLI tools; stable false positive for this package. ai
phantom-deps phantom-dep:sudo-prompt AI (phantom-deps): Legitimate CLI dependency for privilege escalation; stable for this package. ai
phantom-deps phantom-dep:@types/semver AI (phantom-deps): TypeScript types loaded by convention; stable false positive. ai
phantom-deps phantom-dep:@types/inquirer AI (phantom-deps): TypeScript types loaded by convention; stable false positive. ai
phantom-deps phantom-dep:glob AI (phantom-deps): Used transitively by globby; stable false positive for this package. ai

Versions (showing 13 of 13)

Version Deps Published
6.2.31 17 / 0
6.2.30 17 / 0
6.2.29 17 / 0
6.2.28 17 / 0
6.2.27 17 / 0
6.2.26 17 / 0
6.2.25 17 / 0
6.2.24 17 / 0
6.2.23 17 / 0
6.2.22 16 / 0
6.2.21 16 / 0
6.2.2 16 / 0
6.2.1 16 / 0

v6.2.31

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.30

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.29

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.28

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.26

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.25

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.24

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.23

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.22

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.21

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.