@open-mercato/cli
The command-line toolbox for Open Mercato developers.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads user-defined module registry index files; documented plugin-loader pattern for this CLI tool. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Appears in a test file as a SQL injection / path traversal test vector, not actual credential harvesting. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Occurs in integration test helpers passing env to child processes; not production credential exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IPs are localhost (127.0.0.1) in test files; not external exfiltration. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @open-mercato/cli is not a plausible typosquat of joi; edit distance comparison is misleading here. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.4.10 | 8 / 4 | |
| 0.4.9 | 8 / 4 | |
| 0.4.8 | 7 / 4 | |
| 0.4.7 | 7 / 4 | |
| 0.4.6 | 7 / 3 | |
| 0.4.5 | 7 / 3 |
v0.4.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.