@stackwright/cli — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

stackwright

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Established package with 27 approved versions; lack of Sigstore attestation is a process gap, not a security signal.	ai	2026/05/27
typosquat	typosquat.levenshtein:joi	AI (typosquat): @stackwright/cli is a scoped CLI tool for the Stackwright framework, not a typosquat of joi. The name similarity is coincidental and the package has clear, legitimate identity.	ai	2026/04/27
phantom-deps	phantom-dep:zod	AI (phantom-deps): zod is explicitly declared as a runtime dependency in package.json; the phantom-dep finding is a false positive from static import analysis not tracing all usage paths.	ai	2026/04/27

Versions (showing 15 of 15)

Version	Deps	Published
0.8.6	6 / 10	2026-05-17
0.8.5	6 / 10	2026-05-15
0.8.4	6 / 11	2026-05-08
0.8.3	11 / 6	2026-05-06
0.8.2	11 / 6	2026-04-29
0.8.0	11 / 6	2026-04-27
0.7.0	9 / 6	2026-03-17
0.6.0	9 / 6	2026-03-13
0.5.1	9 / 6	2026-02-28
0.5.0	9 / 6	2026-02-28
0.4.0	10 / 5	2025-07-15
0.3.0	10 / 5	2025-07-15
0.2.2	10 / 5	2025-07-15
0.2.1	10 / 5	2025-07-15
0.2.0	10 / 5	2025-07-14

v0.8.6

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stackwright.