@red-hat-developer-hub/cli
CLI for developing Backstage plugins and apps
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:react-refresh | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:esbuild-loader | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:gitconfiglocal | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:@changesets/cli | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:@backstage/types | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:html-webpack-plugin | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:bfj | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:codeowners | AI (phantom-deps): CLI build tool; deps referenced via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): esbuild is a known implicit runtime/binary dependency for build tools; stable false positive. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): eslint is referenced in config files as expected for a CLI build tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): typescript referenced in config/scripts as expected for a build CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:webpack-dev-server | AI (phantom-deps): webpack-dev-server used via config in build CLI context; stable false positive. | ai | |
| phantom-deps | phantom-dep:@backstage/cli | AI (phantom-deps): Referenced in config files as expected for a Backstage-based CLI; stable false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @red-hat-developer-hub/cli bears no resemblance to 'joi'; levenshtein match is a false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.10.6 | 52 / 35 | |
| 1.10.5 | 52 / 35 | |
| 1.10.4 | 51 / 35 | |
| 1.10.0 | 49 / 23 | |
| 1.9.0 | 49 / 23 |
v1.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.