← Home

@routecraft/cli

npm Repository Homepage

CLI for running Routecraft routes

5
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ex0b1t

Keywords

routecraftcliroutesautomationtypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions publisher with SLSA attestation is consistent with legitimate CI/CD automation for this org. ai
phantom-deps phantom-dep:@routecraft/routecraft AI (phantom-deps): Workspace sibling package; phantom-dep heuristic fires on workspace: protocol deps that aren't directly imported at source level. ai
phantom-deps phantom-dep:tsx AI (phantom-deps): Build/runtime tool declared as dep; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:react AI (phantom-deps): Required by ink TUI; declared as external in build script, stable false positive. ai
phantom-deps phantom-dep:croner AI (phantom-deps): Optional scheduling integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:dotenv AI (phantom-deps): Common env-loading dep; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:cheerio AI (phantom-deps): Optional scraping integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:imapflow AI (phantom-deps): Optional email integration; phantom-dep heuristic false positive for this CLI. ai
typosquat typosquat.levenshtein:joi AI (typosquat): Scoped package @routecraft/cli; edit-distance match to 'joi' is coincidental, not a typosquat. ai
phantom-deps phantom-dep:mailparser AI (phantom-deps): Optional email parsing integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:nodemailer AI (phantom-deps): Optional email sending integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:pino-pretty AI (phantom-deps): Optional logging integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:agent-browser AI (phantom-deps): Declared dep used conditionally; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:@opentelemetry/sdk-trace-base AI (phantom-deps): Optional telemetry integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:papaparse AI (phantom-deps): Optional CSV integration; phantom-dep heuristic false positive for this CLI. ai
phantom-deps phantom-dep:ink AI (phantom-deps): TUI dependency declared for optional use; CLI tools commonly bundle optional integrations. ai

Versions (showing 5 of 5)

Version Deps Published
0.5.0 15 / 4
0.4.0 16 / 5
0.3.0 5 / 0
0.2.0 3 / 0
0.1.1 3 / 0

v0.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

2 findings
HIGH Publisher changed: ex0b1t → GitHub Actions (on 2026-02-18) provenance

This version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.