@secondlayer/cli — Greenflagged

CLI for subgraphs and blockchain indexing on Stacks

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ryanwaits

Keywords

stacksclarityblockchainsmart-contractscli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are official Biome packages replacing prettier; benign formatter swap.	ai	2026/05/02
dependencies	unvetted-dep:@secondlayer/views	AI (dependencies): First-party @secondlayer scoped package; consistent with this CLI's own monorepo.	ai	2026/05/02
phantom-deps	phantom-dep:execa	AI (phantom-deps): CLI tools commonly use execa for subprocess execution; declared in deps and consistent with the tool's purpose even if not directly imported at the module level.	ai	2026/04/27
phantom-deps	phantom-dep:@antfu/ni	AI (phantom-deps): CLI tools use @antfu/ni for package manager detection; declared in deps and consistent with scaffolding/codegen CLI use cases.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Established package with 64 versions and 330-day history; lack of provenance is common and not a disqualifying signal for this package.	ai	2026/04/26
phantom-deps	phantom-dep:@secondlayer/workflows	AI (phantom-deps): Same-org scoped package declared but not directly imported; consistent with monorepo tooling patterns for @secondlayer packages.	ai	2026/04/26
dependencies	unvetted-dep:@secondlayer/workflows	AI (dependencies): First-party dependency from the same @secondlayer organization namespace; contextually appropriate for this CLI package.	ai	2026/04/26
dependencies	unvetted-dep:@biomejs/js-api	AI (dependencies): @biomejs/js-api is the official programmatic API for Biome, a well-known JS toolchain. This is a legitimate, reputable dependency used for code formatting/linting in the CLI.	ai	2026/04/26
typosquat	typosquat.levenshtein:joi	AI (typosquat): @secondlayer/cli is a scoped CLI package with 330 days of history and 64 versions; levenshtein match to 'joi' is a superficial false positive with no impersonation intent.	ai	2026/04/25
phantom-deps	phantom-dep:@biomejs/wasm-nodejs	AI (phantom-deps): @biomejs/wasm-nodejs is a known platform-specific optional dep of the Biome toolchain, commonly referenced in config but not directly imported. Stable false positive for any Biome-using package.	ai	2026/04/25

Versions (showing 51 of 104)

View all versions

Version	Deps	Published
8.6.1	11 / 11	2026-06-06
8.6.0	11 / 11	2026-06-06
8.5.2	11 / 11	2026-06-06
8.5.1	11 / 11	2026-06-04
8.5.0	11 / 11	2026-06-04
8.4.3	11 / 11	2026-06-04
8.4.2	11 / 11	2026-06-04
8.4.1	11 / 11	2026-06-02
8.4.0	11 / 11	2026-06-02
8.3.0	11 / 11	2026-05-30
8.2.0	11 / 11	2026-05-30
8.1.0	11 / 11	2026-05-29
8.0.0	11 / 11	2026-05-29
7.0.1	11 / 11	2026-05-29
7.0.0	11 / 11	2026-05-29
6.0.0	11 / 11	2026-05-29
5.10.1	11 / 11	2026-05-29
5.10.0	11 / 11	2026-05-29
5.9.0	11 / 11	2026-05-28
5.8.0	10 / 11	2026-05-28
5.7.0	10 / 11	2026-05-28
5.6.6	10 / 11	2026-05-27
5.6.5	10 / 11	2026-05-24
5.6.3	10 / 11	2026-05-21
5.6.2	10 / 11	2026-05-21
5.6.1	10 / 11	2026-05-21
5.6.0	10 / 11	2026-05-18
5.5.0	10 / 11	2026-05-18
5.4.10	10 / 11	2026-05-18
5.4.9	10 / 11	2026-05-18
5.4.8	10 / 11	2026-05-18
5.4.7	10 / 11	2026-05-18
5.4.6	10 / 11	2026-05-17
5.4.5	10 / 11	2026-05-17
5.4.4	10 / 11	2026-05-17
5.4.3	10 / 11	2026-05-17
5.4.2	10 / 11	2026-05-17
5.4.1	10 / 11	2026-05-17
5.4.0	10 / 11	2026-05-17
5.3.0	10 / 11	2026-05-16
5.2.1	10 / 11	2026-05-15
5.2.0	10 / 11	2026-05-15
5.1.6	10 / 11	2026-05-13
5.1.5	10 / 11	2026-05-13
5.1.4	10 / 11	2026-05-13
5.1.3	10 / 11	2026-05-13
5.1.2	10 / 11	2026-05-12
5.1.1	10 / 11	2026-05-10
5.1.0	10 / 11	2026-05-10
5.0.1	10 / 11	2026-05-09
5.0.0	10 / 11	2026-05-03