@shopify/cli
A CLI tool to build for the Shopify platform
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Major version v4.0.0 rebuild with new bundle structure; expected for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-4HHXSMD7.js | AI (source-diff): Bundled ajv codegen + network utilities in CLI tool; legitimate pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/cli/commands/app/build.js | AI (source-diff): Minified ESM bundle output from Shopify CLI build pipeline; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cli/commands/app/bulk/cancel.js | AI (source-diff): Minified ESM bundle output from Shopify CLI build pipeline; not obfuscation. | ai | |
| source-diff | net-exec-file:dist/chunk-B2EHO7ZC.js | AI (source-diff): Bundled stream/network utilities in CLI tool; legitimate pattern for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-R6N4NGU6.js | AI (source-diff): Minified CLI bundle; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-7JFIBCHH.js | AI (source-diff): Minified CLI bundle containing GraphQL/TS compiler code; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-AQOYGO3U.js | AI (source-diff): Minified CLI bundle containing AJV codegen; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-DEW5QFGH.js | AI (source-diff): Minified CLI bundle containing lodash internals; standard build artifact for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-PRNHS74J.js | AI (source-diff): Standard bundled dist chunk; GraphQL/React internals, not malware. | ai | |
| source-diff | net-exec-file:dist/chunk-LH4VO6EV.js | AI (source-diff): Standard bundled dist chunk; AJV/codegen internals, not malware. | ai | |
| source-diff | net-exec-file:dist/chunk-KVWHPGOA.js | AI (source-diff): Standard bundled dist chunk for Shopify CLI; lodash/utility code, not malware. | ai | |
| source-diff | net-exec-file:dist/chunk-RXF32AET.js | AI (source-diff): Standard bundled dist chunk; TOML parser and other utilities, not malware. | ai | |
| source-diff | net-exec-file:dist/chunk-SVYSLNQH.js | AI (source-diff): Standard bundled ESM dist chunk for Shopify CLI; SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/chunk-WOERFYNW.js | AI (source-diff): Standard bundled ESM dist chunk for Shopify CLI; SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/chunk-PB3UDYWH.js | AI (source-diff): Standard bundled ESM dist chunk for Shopify CLI; SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/chunk-TCRHJ3ZH.js | AI (source-diff): Standard bundled ESM dist chunk for Shopify CLI; SLSA provenance confirms CI/CD origin. | ai | |
| source-diff | net-exec-file:dist/chunk-3CRQIN6A.js | AI (source-diff): TOML parser + CLI logic bundle — standard minified build artifact for Shopify CLI. | ai | |
| source-diff | obfuscated-file:dist/morph-DQREIZD2.js | AI (source-diff): TypeScript compiler bundle — standard minified open-source code, not malware. | ai | |
| source-diff | net-exec-file:dist/chunk-3TG7H626.js | AI (source-diff): GraphQL 16.x bundle — standard minified open-source library code. | ai | |
| source-diff | net-exec-file:dist/morph-DQREIZD2.js | AI (source-diff): TypeScript compiler bundle — standard minified open-source code. | ai | |
| source-diff | net-exec-file:dist/chunk-SVA22NZQ.js | AI (source-diff): Semver + utility bundle — standard minified open-source library code. | ai | |
| source-diff | net-exec-file:dist/chunk-D24XVLOA.js | AI (source-diff): AJV codegen bundle — standard minified open-source library code. | ai | |
| source-diff | net-exec-file:dist/chunk-7FYGRWMW.js | AI (source-diff): Lodash + utility bundle — standard minified open-source library code. | ai | |
| source-diff | obfuscated-file:dist/http-proxy-node16-TTURN6MD.js | AI (source-diff): Minified http-proxy EventEmitter code — standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/assets/dev-console/extensions/dev-console/assets/index-Bm_GpKQW.js | AI (source-diff): Minified React/Vite frontend bundle — standard build artifact. | ai | |
| source-diff | obfuscated-file:dist/morph-Q32V442A.js | AI (source-diff): TypeScript compiler bundle; long lines are expected minified output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/chunk-4QL77VYJ.js | AI (source-diff): Minified bundle containing lodash/utility code; standard CLI dist output for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-4VZV4LQX.js | AI (source-diff): Minified bundle containing GraphQL/React internals; standard CLI dist output. | ai | |
| source-diff | net-exec-file:dist/chunk-5FCKEHCK.js | AI (source-diff): Minified bundle with TOML parser and CLI framework code; standard dist output. | ai | |
| source-diff | net-exec-file:dist/chunk-MX6WWR5F.js | AI (source-diff): Minified bundle with AJV code-generation; standard dist output. | ai | |
| source-diff | net-exec-file:dist/chunk-XVFYDYZA.js | AI (source-diff): Minified bundle with semver and utility helpers; standard dist output. | ai | |
| source-diff | net-exec-file:dist/morph-Q32V442A.js | AI (source-diff): ts-morph/TypeScript compiler bundle; standard dist output for this CLI. | ai | |
| source-diff | obfuscated-file:dist/http-proxy-node16-DSQMBVDI.js | AI (source-diff): http-proxy minified bundle; standard dist output for this CLI. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @shopify/cli is the official Shopify CLI; Levenshtein match to 'joi' is a false positive. | ai | |
| phantom-deps | phantom-dep:global-agent | AI (phantom-deps): global-agent is referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): esbuild is a known implicit runtime/binary dependency; stable for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 4.0.0 | 3 / 13 | |
| 3.94.3 | 3 / 13 | |
| 3.94.2 | 3 / 13 | |
| 3.94.1 | 3 / 13 | |
| 3.94.0 | 3 / 13 | |
| 3.93.2 | 3 / 12 | |
| 3.93.1 | 3 / 12 | |
| 3.93.0 | 3 / 12 |
v4.0.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.94.2
10 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.94.1
10 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.94.0
10 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.93.2
9 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.93.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.93.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.