@osdk/cli
A CLI for generating OSDKs and managing Foundry site deployments
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/esm/handleGenerate-Y24FBFIT.js | AI (source-diff): Standard bundled ESM build output from Palantir's monorepo build tooling; long lines are minified dependencies, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-XUERNWCM.js | AI (source-diff): Standard bundled ESM output with readable imports; long lines are from bundler, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-66EYPDDD.js | AI (source-diff): Standard bundled ESM output with long lines from inlined vendor deps; not obfuscation. Stable pattern for this CLI package. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-6NDDZTQ4.js | AI (source-diff): Standard bundled ESM output with readable imports and vendored deps; long-line heuristic fires on minified bundles which is normal for this package. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-AQMRM6TE.js | AI (source-diff): Standard bundled ESM build output for this CLI package; long lines are minified third-party deps, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/estree-PTS7QPRO.js | AI (source-diff): Bundled prettier estree plugin; minified but not obfuscated, source comments present. | ai | |
| source-diff | obfuscated-file:build/esm/babel-BV4W3BOJ.js | AI (source-diff): Bundled prettier babel plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/meriyah-Q2DK6BAD.js | AI (source-diff): Bundled prettier meriyah plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/markdown-FZBHQ3B4.js | AI (source-diff): Bundled prettier markdown plugin; minified build artifact. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by bundling prettier and its plugins into ESM build. | ai | |
| source-diff | obfuscated-file:build/esm/flow-Y46VD55R.js | AI (source-diff): Bundled prettier flow plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/html-EQKLXLBJ.js | AI (source-diff): Bundled prettier html plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/typescript-DEUJRDXE.js | AI (source-diff): Bundled prettier typescript plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-HTRTGZMS.js | AI (source-diff): Bundled CLI generate handler with standard deps; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/acorn-2YJLPGID.js | AI (source-diff): Bundled prettier acorn plugin; minified build artifact. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-BYX3RSTN.js | AI (source-diff): Standard bundled/minified ESM build output for a CLI tool; long lines are from bundled deps, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-DPCWL4NA.js | AI (source-diff): Bundler output with readable imports and vendored deps; long lines are normal for this package's ESM bundle artifacts. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-Q5K3LEZ5.js | AI (source-diff): Standard bundled ESM build output; long lines are bundler artifacts, not obfuscation. Consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-Y53MRU5K.js | AI (source-diff): Large bundled CLI entry point; imports are all known @osdk/* and standard node modules. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-DF7TBQ2A.js | AI (source-diff): Standard bundled ESM output from Palantir's build toolchain; long lines are minified vendor code, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-7ILWGRQB.js | AI (source-diff): Standard ESM bundle output for this CLI package; long lines are minified third-party deps, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-WLJU7Z7S.js | AI (source-diff): Bundled ESM CLI artifact with readable code; long lines from minification are expected for this build pipeline. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-JNGIGXM6.js | AI (source-diff): Standard bundled ESM output with long lines from inlined vendor deps; not obfuscated. Consistent with this package's build tooling. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-WEIAQ4UM.js | AI (source-diff): Standard bundled ESM build output from Palantir monorepo; long lines are minified bundle artifacts, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-T5HVEK3S.js | AI (source-diff): Standard bundled ESM output; long lines are from bundling dependencies, not obfuscation. Consistent with this package's build tooling. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-CMN4NOT4.js | AI (source-diff): Bundled build output with identifiable deps (fast-deep-equal etc); not obfuscated. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-5G46D55G.js | AI (source-diff): Standard bundled ESM output from Palantir monorepo build tooling; long lines are minified vendor code, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/esm/babel-CZ4ABLWM.js | AI (source-diff): Bundled minified copy of prettier's babel plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/acorn-XTQOGPYA.js | AI (source-diff): Bundled minified copy of prettier's acorn plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/typescript-WRJ675HS.js | AI (source-diff): Bundled minified copy of prettier's typescript plugin; consistent with build pattern. | ai | |
| source-diff | obfuscated-file:build/esm/meriyah-X3HRS3MQ.js | AI (source-diff): Bundled minified copy of prettier's meriyah plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/markdown-MDO5E7NJ.js | AI (source-diff): Bundled minified copy of prettier's markdown plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/html-7APBHT5V.js | AI (source-diff): Bundled minified copy of prettier's html plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-QRF6FEM4.js | AI (source-diff): Bundled CLI logic with well-known deps (fast-deep-equal, @osdk/* packages); no malicious patterns. | ai | |
| source-diff | obfuscated-file:build/esm/flow-FQOP5LTE.js | AI (source-diff): Bundled minified copy of prettier's flow plugin; source comment confirms origin. | ai | |
| source-diff | obfuscated-file:build/esm/estree-4N7UOKYF.js | AI (source-diff): Bundled minified copy of prettier's estree plugin; source comment confirms origin. | ai | |
| provenance | publisher-changed | AI (provenance): Palantir migrated to GitHub Actions CI publishing with SLSA attestation; repo URL unchanged. | ai | |
| dependencies | unvetted-dep:@osdk/gateway | AI (dependencies): Same-org Palantir OSDK monorepo sibling dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@osdk/api | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for monorepo packages with re-exports. | ai | |
| dependencies | unvetted-dep:@osdk/shared.net | AI (dependencies): Same-org Palantir OSDK monorepo sibling dependency; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:build/esm/handleGenerate-POY3JZSK.js | AI (source-diff): Standard bundler output (tsup/rollup ESM bundle) for a CLI tool; long lines are minified vendor deps, not obfuscation. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): ajv is a declared runtime dep used via config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@arethetypeswrong/cli | AI (phantom-deps): Used as a CLI tool invoked via scripts, not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; stable false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @osdk/cli package from Palantir; Levenshtein match against 'joi' is a false positive. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 0.53.0 | 13 / 12 | |
| 0.52.0 | 13 / 12 | |
| 0.51.0 | 13 / 12 | |
| 0.50.0 | 13 / 12 | |
| 0.49.0 | 13 / 12 | |
| 0.48.0 | 13 / 12 | |
| 0.47.0 | 13 / 12 | |
| 0.46.0 | 13 / 12 | |
| 0.45.0 | 13 / 12 | |
| 0.44.0 | 13 / 12 | |
| 0.43.0 | 13 / 12 | |
| 0.41.0 | 13 / 12 | |
| 0.40.0 | 13 / 12 | |
| 0.39.0 | 13 / 12 | |
| 0.38.0 | 13 / 12 | |
| 0.37.0 | 13 / 11 | |
| 0.36.0 | 13 / 11 | |
| 0.35.0 | 13 / 11 | |
| 0.34.0 | 13 / 11 | |
| 0.33.0 | 13 / 11 | |
| 0.32.0 | 9 / 15 | |
| 0.31.2 | 9 / 15 | |
| 0.23.7 | 13 / 12 |
v0.53.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.52.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.51.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.50.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.49.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.48.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.46.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.45.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.44.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.43.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.41.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.40.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.39.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.38.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.37.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.35.0
11 findingsThis version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.0
11 findingsThis version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.0
11 findingsThis version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.2
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sauravsanj) than the most recent previously approved version (palantir) on 2026-04-06, but sauravsanj is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.23.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.