@oclif/plugin-plugins
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 330 versions published by Salesforce's official account; the dormancy signal appears to be a miscalculation for this actively maintained package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn is used to run a local rm.js cleanup script for node_modules.old during plugin updates — a documented oclif pattern, not malicious. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same detached spawn instance as silent-process-exec; path is derived from import.meta.url (local), not remote input. Legitimate cleanup pattern. | ai | |
| dependencies | unvetted-dep:yarn | AI (dependencies): yarn is a well-known package manager; its inclusion as a runtime dep is expected for an oclif plugin-management plugin. | ai | |
| phantom-deps | phantom-dep:npm | AI (phantom-deps): npm is a legitimate runtime dependency for a plugin manager; it is invoked as a CLI tool rather than imported as a module, causing the phantom-dep false positive. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 5.4.74 | 11 / 28 | |
| 5.4.73 | 11 / 28 | |
| 5.4.72 | 11 / 28 | |
| 5.4.71 | 11 / 28 | |
| 5.4.70 | 11 / 28 | |
| 5.4.69 | 11 / 28 | |
| 5.4.68 | 11 / 28 | |
| 5.4.67 | 11 / 28 | |
| 5.4.66 | 11 / 28 | |
| 5.4.65 | 11 / 28 | |
| 5.4.64 | 11 / 28 | |
| 5.4.63 | 11 / 28 | |
| 5.4.62 | 11 / 28 | |
| 5.4.61 | 11 / 28 | |
| 5.4.60 | 11 / 28 | |
| 5.4.59 | 11 / 28 | |
| 5.4.58 | 11 / 28 | |
| 5.4.57 | 11 / 28 | |
| 5.4.56 | 11 / 28 | |
| 5.4.55 | 11 / 28 | |
| 5.4.54 | 11 / 28 | |
| 5.4.53 | 11 / 28 | |
| 5.4.52 | 11 / 28 | |
| 5.4.51 | 11 / 28 | |
| 5.4.50 | 11 / 28 | |
| 5.4.49 | 11 / 28 | |
| 5.4.48 | 11 / 28 | |
| 5.4.47 | 11 / 28 | |
| 5.4.46 | 11 / 28 | |
| 5.4.45 | 11 / 28 | |
| 5.4.44 | 11 / 28 | |
| 5.4.43 | 11 / 28 | |
| 5.4.42 | 11 / 28 | |
| 5.4.41 | 11 / 28 | |
| 5.4.40 | 11 / 28 | |
| 5.4.39 | 11 / 28 | |
| 5.4.38 | 11 / 28 | |
| 5.4.37 | 11 / 28 |
v5.4.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.67
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.66
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.65
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.54
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.4.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.