@sorrell/cli
General-purpose commands for NodeJS development.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:tsover-runtime | AI (phantom-deps): tsover-runtime is a build-time TypeScript runtime shim; phantom-dep false positive for this package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Fires on a publish utility script opening a URL in the browser on Windows; not a runtime or install-time threat. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same context as silent-process-exec; benign browser-open pattern in a build/publish helper script. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @sorrell/cli under author's own namespace; Levenshtein match to 'joi' is coincidental. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): Declared runtime dep; heuristic false positive for indirect/conditional usage. | ai | |
| phantom-deps | phantom-dep:terminal-image | AI (phantom-deps): Declared runtime dep; heuristic false positive for indirect/conditional usage. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.0.13 | 12 / 8 | |
| 0.0.12 | 12 / 8 | |
| 0.0.11 | 12 / 8 | |
| 0.0.10 | 12 / 8 | |
| 0.0.9 | 12 / 8 | |
| 0.0.8 | 12 / 8 | |
| 0.0.7 | 12 / 8 | |
| 0.0.6 | 12 / 8 | |
| 0.0.5 | 12 / 8 | |
| 0.0.4 | 12 / 8 | |
| 0.0.3 | 12 / 4 | |
| 0.0.2 | 12 / 4 | |
| 0.0.1 | 11 / 4 |
v0.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
7 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L311 309 | switch (process.platform) { 310 | case "win32": > 311 | spawn("cmd", ["/c", "start", "", Url], { 312 | detached: true, 313 | stdio: "ignore"
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L311 309 | switch (process.platform) { 310 | case "win32": > 311 | spawn("cmd", ["/c", "start", "", Url], { 312 | detached: true, 313 | stdio: "ignore"
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L317 315 | break; 316 | case "darwin": > 317 | spawn("open", [Url], { 318 | detached: true, 319 | stdio: "ignore"
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L317 315 | break; 316 | case "darwin": > 317 | spawn("open", [Url], { 318 | detached: true, 319 | stdio: "ignore"
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L323 321 | break; 322 | default: > 323 | spawn("xdg-open", [Url], { 324 | detached: true, 325 | stdio: "ignore"
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/GageSorrell/SorrellWm/blob/5ae14c1a36a565b8408cfdff6cfc81c145c7cb17/Distribution/Publish/Publish.js#L323 321 | break; 322 | default: > 323 | spawn("xdg-open", [Url], { 324 | detached: true, 325 | stdio: "ignore"
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.