@php-wasm/cli
PHP.wasm CLI for node.js
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Package now published via GitHub Actions CI with SLSA attestation; this is the expected automated release pattern for this monorepo. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires in bundled third-party library code (fast-xml-parser/yargs) in the official WordPress Playground repo; not malicious. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Fires in bundled xdebug-bridge/CDP code in main.js; legitimate debug protocol usage. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js, not directly imported as ESM. | ai | |
| phantom-deps | phantom-dep:ini | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:xml2js | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @php-wasm/cli is a scoped package from WordPress org; Levenshtein match to 'joi' is a false positive. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:@php-wasm/cli-util | AI (phantom-deps): Same-org scoped package, bundled into distribution artifact. | ai | |
| phantom-deps | phantom-dep:@php-wasm/universal | AI (phantom-deps): Same-org scoped package, bundled into distribution artifact. | ai | |
| phantom-deps | phantom-dep:wasm-feature-detect | AI (phantom-deps): Bundled CLI package; deps are bundled into main.js. | ai | |
| phantom-deps | phantom-dep:fs-ext-extra-prebuilt | AI (phantom-deps): Platform-specific binary package; expected phantom-dep pattern for prebuilt native modules. | ai | |
| phantom-deps | phantom-dep:@php-wasm/xdebug-bridge | AI (phantom-deps): Same-org scoped package, bundled into distribution artifact. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate WordPress/php-wasm project; short README and no keywords are cosmetic issues only. | ai | |
| phantom-deps | phantom-dep:@php-wasm/node | AI (phantom-deps): Same-org scoped package, bundled into distribution artifact. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires inside bundled yargs code in main.js; not a malicious pattern for this CLI tool. | ai |
Versions (showing 51 of 72)
| Version | Deps | Published |
|---|---|---|
| 3.1.36 | 4 / 0 | |
| 3.1.35 | 4 / 0 | |
| 3.1.34 | 4 / 0 | |
| 3.1.33 | 4 / 0 | |
| 3.1.32 | 4 / 0 | |
| 3.1.31 | 4 / 0 | |
| 3.1.30 | 4 / 0 | |
| 3.1.29 | 4 / 0 | |
| 3.1.28 | 14 / 0 | |
| 3.1.27 | 14 / 0 | |
| 3.1.26 | 14 / 0 | |
| 3.1.25 | 13 / 0 | |
| 3.1.22 | 13 / 0 | |
| 3.1.21 | 13 / 0 | |
| 3.1.20 | 13 / 0 | |
| 3.1.19 | 13 / 0 | |
| 3.1.18 | 13 / 0 | |
| 3.1.16 | 13 / 0 | |
| 3.1.15 | 13 / 0 | |
| 3.1.14 | 13 / 0 | |
| 3.1.13 | 13 / 0 | |
| 3.1.12 | 13 / 0 | |
| 3.1.11 | 13 / 0 | |
| 3.1.10 | 13 / 0 | |
| 3.1.9 | 13 / 0 | |
| 3.1.8 | 13 / 0 | |
| 3.1.5 | 13 / 0 | |
| 3.1.4 | 13 / 0 | |
| 3.1.3 | 13 / 0 | |
| 3.1.2 | 13 / 0 | |
| 3.1.1 | 13 / 0 | |
| 3.1.0 | 13 / 0 | |
| 3.0.54 | 12 / 0 | |
| 3.0.53 | 12 / 0 | |
| 3.0.52 | 12 / 0 | |
| 3.0.51 | 12 / 0 | |
| 3.0.46 | 12 / 0 | |
| 3.0.45 | 12 / 0 | |
| 3.0.44 | 12 / 0 | |
| 3.0.43 | 12 / 0 | |
| 3.0.42 | 12 / 0 | |
| 3.0.41 | 12 / 0 | |
| 3.0.40 | 12 / 0 | |
| 3.0.39 | 12 / 0 | |
| 3.0.38 | 12 / 0 | |
| 3.0.37 | 12 / 0 | |
| 3.0.36 | 12 / 0 | |
| 3.0.35 | 12 / 0 | |
| 3.0.34 | 12 / 0 | |
| 3.0.33 | 12 / 0 | |
| 3.0.32 | 12 / 0 |
v3.1.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.13
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.12
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.10
2 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.54
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.53
2 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.52
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.51
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.46
2 findingsThis version was published by a different npm account than previous versions on 2026-01-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.45
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.44
2 findingsThis version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.43
2 findingsThis version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.42
2 findingsThis version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.41
2 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.40
2 findingsThis version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.39
2 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.38
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.37
2 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.36
2 findingsThis version was published by a different npm account than previous versions on 2026-01-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.35
2 findingsThis version was published by a different npm account than previous versions on 2025-12-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.34
2 findingsThis version was published by a different npm account than previous versions on 2025-12-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.33
2 findingsThis version was published by a different npm account than previous versions on 2025-12-22. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.32
2 findingsThis version was published by a different npm account than previous versions on 2025-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.