@ridit/milo
Tiny cat. Big code.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:pino | AI (typosquat): Scoped CLI package @ridit/milo is unrelated to pino logger; Levenshtein match is coincidental. | ai | |
| phantom-deps | phantom-dep:ai | AI (phantom-deps): Deps are bundled via bun build; phantom-dep heuristic doesn't account for bundled output. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): Bundled via bun build --external ink; not directly imported in dist. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Bundled via bun build --external chalk; phantom-dep heuristic inapplicable. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled via bun build --external react; phantom-dep heuristic inapplicable. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:figures | AI (phantom-deps): Bundled via bun build --external figures; phantom-dep heuristic inapplicable. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Bundled via bun build --external commander; phantom-dep heuristic inapplicable. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): Bundled via bun build --external ink-spinner; phantom-dep heuristic inapplicable. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/groq | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:cli-truncate | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:ai-sdk-ollama | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:cli-highlight | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/google | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/openai | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:@vscode/ripgrep | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/anthropic | AI (phantom-deps): Bundled dependency; phantom-dep heuristic inapplicable to bundled packages. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.7.7 | 21 / 10 | |
| 0.7.6 | 21 / 10 | |
| 0.6.9 | 21 / 10 | |
| 0.6.8 | 21 / 10 |
v0.7.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.