@subql/cli — Greenflagged

CLI for SubQuery

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

onfinality-adminscott_subql

Keywords

oclif

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:json5	AI (dependencies): json5 ^2.2.3 is a well-known, widely-used library; constraint is at/above the patched version for prior CVEs. No active advisories.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher transition from onfinality-admin to GitHub Actions is consistent with CI/CD automation for established projects.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-soroban	AI (dependencies): First-party SubQuery package for Soroban network support, consistent with @subql/cli's multi-chain CLI purpose. Published by the same org (onfinality-admin).	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-avalanche	AI (dependencies): First-party SubQuery package in the same org namespace; unvetted flag is a false positive for this package family.	ai	2026/04/21
phantom-deps	phantom-dep:@walletconnect/types	AI (phantom-deps): Type-only dependency used in generated code; phantom detection is expected for type packages.	ai	2026/04/21
dependencies	unvetted-dep:ws	AI (dependencies): ws is the canonical WebSocket library for Node.js with massive adoption; safe dependency for a CLI tool.	ai	2026/04/21
phantom-deps	phantom-dep:graphql-request	AI (phantom-deps): Declared dep used in generated/bundled code; phantom detection is a false positive for this package.	ai	2026/04/21
license	copyleft-license:GPL-3.0	AI (license): GPL-3.0 is disclosed in package.json and consistent with SubQuery's open-source project model.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-terra	AI (dependencies): First-party @subql/ namespace package from the same SubQuery organization; adding terra/substrate chain support is expected for this CLI tool.	ai	2026/04/21
dependencies	unvetted-dep:siwe	AI (dependencies): siwe (Sign-In with Ethereum) is a well-known auth library, appropriate for a blockchain CLI tool.	ai	2026/04/21
dependencies	unvetted-dep:graphql-request	AI (dependencies): graphql-request is an established GraphQL client; appropriate for CLI adding network features.	ai	2026/04/21
dependencies	unvetted-dep:dotenv	AI (dependencies): dotenv is one of the most popular npm packages (~30M weekly downloads), standard env config tool.	ai	2026/04/21
dependencies	unvetted-dep:@subql/network-clients	AI (dependencies): First-party @subql scoped package from the same organization.	ai	2026/04/21
dependencies	unvetted-dep:@walletconnect/utils	AI (dependencies): Official WalletConnect utils package; well-established in the Web3 ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:@walletconnect/types	AI (dependencies): Official WalletConnect types package; well-established in the Web3 ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:@subql/contract-sdk	AI (dependencies): @subql/contract-sdk is part of the SubQuery ecosystem; legitimate dependency for this CLI.	ai	2026/04/21
dependencies	unvetted-dep:@walletconnect/sign-client	AI (dependencies): WalletConnect is a standard Web3 library; appropriate for CLI adding wallet integration.	ai	2026/04/21
dependencies	unvetted-dep:@polkadot/api	AI (dependencies): Polkadot API is the legitimate blockchain integration library for SubQuery's Polkadot indexing.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-concordium	AI (dependencies): @subql/common-concordium is a first-party SubQuery package for Concordium blockchain support, consistent with SubQuery's multi-chain expansion pattern and the same publisher org.	ai	2026/04/21
dependencies	unvetted-dep:ethers	AI (dependencies): ethers is a standard Ethereum library; new addition for blockchain support is contextually appropriate.	ai	2026/04/21
dependencies	unvetted-dep:typechain	AI (dependencies): typechain is a legitimate code generation tool for Ethereum contracts; supports multi-chain expansion.	ai	2026/04/21
dependencies	unvetted-dep:algosdk	AI (dependencies): algosdk is the official Algorand SDK; legitimate addition for blockchain network support.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-near	AI (dependencies): First-party SubQuery package for NEAR chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-flare	AI (dependencies): First-party SubQuery package for Flare chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-cosmos	AI (dependencies): First-party SubQuery package for Cosmos chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@typechain/ethers-v5	AI (dependencies): Official typechain adapter for ethers v5; legitimate for Ethereum contract type generation.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-stellar	AI (dependencies): First-party SubQuery package for Stellar chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-algorand	AI (dependencies): First-party SubQuery package for Algorand chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-ethereum	AI (dependencies): First-party SubQuery package for Ethereum chain support; legitimate dependency.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common-substrate	AI (dependencies): First-party SubQuery package for Substrate chain support; legitimate dependency.	ai	2026/04/21
phantom-deps	phantom-dep:algosdk	AI (phantom-deps): Used as a peer/scaffolding dependency for Algorand project generation; not directly imported in CLI code.	ai	2026/04/21
phantom-deps	phantom-dep:@typechain/ethers-v5	AI (phantom-deps): Used as a scaffolding/codegen dependency; referenced in generated project configs rather than directly imported.	ai	2026/04/21
dependencies	unvetted-dep:esbuild	AI (dependencies): esbuild is a standard build tool; legitimate replacement for webpack in this refactoring.	ai	2026/04/21
dependencies	unvetted-dep:zod	AI (dependencies): zod is a schema validation library; legitimate for CLI argument/config validation.	ai	2026/04/21
dependencies	unvetted-dep:@modelcontextprotocol/sdk	AI (dependencies): MCP SDK is Anthropic's official Model Context Protocol SDK. Adding MCP support to a developer CLI is a plausible feature addition.	ai	2026/04/21
phantom-deps	phantom-dep:ora	AI (phantom-deps): ora is a spinner library commonly used in CLI tools; its presence as a declared dep without direct import is consistent with indirect usage via config or re-export.	ai	2026/04/21
phantom-deps	phantom-dep:ts-loader	AI (phantom-deps): ts-loader is a TypeScript webpack loader; declared as a dep for build tooling purposes even if not directly imported in main source.	ai	2026/04/21
dependencies	unvetted-dep:boxen	AI (dependencies): boxen is a standard CLI box-drawing utility; legitimate for formatting CLI output.	ai	2026/04/21
phantom-deps	phantom-dep:typescript	AI (phantom-deps): typescript is a dev tool referenced in build scripts; appropriate to declare as runtime dep for CLI distribution.	ai	2026/04/21
dependencies	unvetted-dep:node-fetch	AI (dependencies): node-fetch is a standard HTTP client; pinned to 2.6.7 with resolution lock for stability.	ai	2026/04/21
phantom-deps	phantom-dep:boxen	AI (phantom-deps): boxen is used in CLI output formatting; declared and used in build/config workflows.	ai	2026/04/21
phantom-deps	phantom-dep:semver	AI (phantom-deps): semver used indirectly in CLI tooling context; phantom dep is expected pattern here.	ai	2026/04/21
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): node-fetch used indirectly; phantom dep is expected for this CLI's build/bundle pattern.	ai	2026/04/21
phantom-deps	phantom-dep:update-notifier	AI (phantom-deps): update-notifier is a standard CLI utility; indirect usage pattern is expected for this CLI tool.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of jay_ji is a normal team transition within the same organization.	ai	2026/04/21
dependencies	unvetted-dep:ora	AI (dependencies): ora is a widely-used CLI spinner library; standard for CLI UX.	ai	2026/04/21
dependencies	unvetted-dep:@inquirer/prompts	AI (dependencies): @inquirer/prompts is a standard CLI prompt library; expected for interactive CLI tools.	ai	2026/04/21
dependencies	unvetted-dep:update-notifier	AI (dependencies): update-notifier is a standard npm CLI update notification utility; widely used and well-established.	ai	2026/04/21
dependencies	unvetted-dep:ts-node	AI (dependencies): ts-node is a standard build dependency for TypeScript CLI tools; established package with no malware indicators.	ai	2026/04/21
dependencies	unvetted-dep:terser-webpack-plugin	AI (dependencies): terser-webpack-plugin is a standard minifier; legitimate build dependency.	ai	2026/04/21
dependencies	unvetted-dep:tsconfig-paths-webpack-plugin	AI (dependencies): tsconfig-paths-webpack-plugin is a webpack plugin for TypeScript paths; legitimate build tool.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer addition (scott_subql) is consistent with SubQuery org; no takeover indicators.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): 12.7x size increase explained by GraphQL schema artifacts (base-types files ~7.9MB); legitimate for codegen feature.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are established packages (Apollo, WalletConnect, graphql-request) supporting documented GraphQL/wallet features.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 80 new files reflect legitimate feature expansion (GraphQL codegen support); no evidence of injected code.	ai	2026/04/21
dependencies	unvetted-dep:oclif	AI (dependencies): oclif is the documented CLI framework for this package; its use is intentional and appropriate.	ai	2026/04/21
dependencies	unvetted-dep:ts-loader	AI (dependencies): ts-loader is a standard TypeScript webpack loader; legitimate build dependency.	ai	2026/04/21
dependencies	unvetted-dep:@oclif/core	AI (dependencies): @oclif/core is the core oclif CLI framework package; legitimate for oclif-based CLIs.	ai	2026/04/21
phantom-deps	phantom-dep:oclif	AI (phantom-deps): oclif is referenced in oclif manifest config, not directly imported — normal for oclif CLI tools.	ai	2026/04/21
phantom-deps	phantom-dep:yaml-loader	AI (phantom-deps): yaml-loader is referenced in webpack config, not directly imported — normal for build tooling.	ai	2026/04/21
phantom-deps	phantom-dep:@oclif/command	AI (phantom-deps): Referenced in oclif config files by convention; normal for oclif-based CLI tools.	ai	2026/04/21
phantom-deps	phantom-dep:@types/inquirer	AI (phantom-deps): @types packages are loaded by TypeScript convention, not direct imports; expected pattern.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Package predates widespread Sigstore provenance adoption; no other risk signals present.	ai	2026/04/21
dependencies	unvetted-dep:rimraf	AI (dependencies): rimraf is a standard cross-platform rm utility; appropriate for build tools.	ai	2026/04/21
dependencies	unvetted-dep:ipfs-http-client	AI (dependencies): ipfs-http-client is a legitimate IPFS library; appropriate for SubQuery's use case.	ai	2026/04/21
dependencies	unvetted-dep:websocket	AI (dependencies): websocket is a standard library; legitimate for network operations.	ai	2026/04/21
dependencies	unvetted-dep:yaml-loader	AI (dependencies): yaml-loader is a webpack loader; expected for manifest/config parsing.	ai	2026/04/21
dependencies	unvetted-dep:@subql/validator	AI (dependencies): Scoped package from same organization (@subql); internal dependency for validation logic.	ai	2026/04/21
dependencies	unvetted-dep:@types/inquirer	AI (dependencies): TypeScript type definitions for inquirer; framework-scoped package, stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:inquirer-autocomplete-prompt	AI (dependencies): inquirer-autocomplete-prompt extends inquirer for CLI UX; appropriate for this package.	ai	2026/04/21
dependencies	unvetted-dep:inquirer	AI (dependencies): inquirer is standard for interactive CLI prompts.	ai	2026/04/21
dependencies	unvetted-dep:cli-ux	AI (dependencies): cli-ux is a standard CLI UI library; expected in oclif-based tools.	ai	2026/04/21
dependencies	unvetted-dep:webpack	AI (dependencies): Webpack is a standard build tool for CLI bundling; appropriate for this package's build pipeline.	ai	2026/04/21
dependencies	unvetted-dep:webpack-merge	AI (dependencies): webpack-merge is a standard build tool dependency; legitimate use in webpack configuration.	ai	2026/04/21
dependencies	unvetted-dep:@oclif/command	AI (dependencies): Core oclif framework dependency; expected for oclif-based CLI.	ai	2026/04/21
dependencies	unvetted-dep:@oclif/config	AI (dependencies): oclif configuration module; standard for oclif CLI tools.	ai	2026/04/21
dependencies	unvetted-dep:ejs	AI (dependencies): ejs is a standard, widely-used template engine; appropriate for a CLI tool.	ai	2026/04/21
dependencies	unvetted-dep:simple-git	AI (dependencies): simple-git is a widely-used git wrapper; legitimate for a SubQuery CLI tool.	ai	2026/04/21
dependencies	unvetted-dep:@types/ejs	AI (dependencies): TypeScript type definitions for ejs; standard practice for TypeScript projects.	ai	2026/04/21
dependencies	unvetted-dep:@subql/common	AI (dependencies): @subql/common is the companion package from the same publisher (onfinality-admin). Expected sibling dependency.	ai	2026/04/21
dependencies	unvetted-dep:@oclif/plugin-help	AI (dependencies): oclif plugin for help system; standard CLI framework component.	ai	2026/04/21
phantom-deps	phantom-dep:@types/ejs	AI (phantom-deps): Framework-scoped type definitions loaded by convention in TypeScript projects.	ai	2026/04/21
phantom-deps	phantom-dep:@oclif/config	AI (phantom-deps): oclif framework dependency loaded by convention; referenced in oclif config.	ai	2026/04/21
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): oclif plugin loaded by convention; declared in oclif.plugins config.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): CLI tool legitimately uses child_process to spawn subprocesses; expected for this package type.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is standard pattern for plugin/module loading in CLI tools; input is controlled.	ai	2026/04/21
typosquat	typosquat.levenshtein:joi	AI (typosquat): Package name @subql/cli is scoped and clearly branded; edit distance to joi is incidental, not impersonation.	ai	2026/04/21
semgrep	semgrep:eval-usage	AI (semgrep): eval() used for TypeScript compilation in build process, not arbitrary code execution.	ai	2026/04/21

Versions (showing 51 of 174)

Hide prereleases View all versions

Version	Deps	Published
6.6.2	38 / 28	2025-12-15
6.3.0	39 / 27	2025-09-16
6.2.2	28 / 18	2025-08-28
6.2.1	28 / 18	2025-08-25
6.2.0	27 / 18	2025-08-25
6.1.3	24 / 18	2025-08-01
6.1.2	24 / 18	2025-07-31
6.1.1	24 / 18	2025-07-28
6.1.0	24 / 18	2025-07-24
6.0.2	24 / 18	2025-07-17
6.0.1	24 / 18	2025-07-14
6.0.0	24 / 18	2025-07-14
5.14.1	21 / 18	2025-07-13
5.14.0	21 / 18	2025-07-01
5.13.0	21 / 18	2025-06-24
5.12.0	27 / 19	2025-06-12
5.11.0	27 / 19	2025-06-05
5.10.0	27 / 19	2025-05-20
5.9.1	26 / 18	2025-05-08
5.9.0	26 / 18	2025-04-30
5.8.1	28 / 18	2025-04-23
5.8.0	28 / 18	2025-04-17
5.7.1	28 / 18	2025-03-20
5.7.0	27 / 18	2025-02-25
5.6.0	27 / 18	2025-02-19
5.5.2	27 / 18	2025-02-13
5.5.1	27 / 18	2025-02-04
5.5.0	27 / 18	2025-01-28
5.4.0	27 / 18	2024-12-11
5.3.3	26 / 18	2024-12-04
5.3.2	26 / 18	2024-11-25
5.3.1	26 / 18	2024-11-24
5.3.0	26 / 18	2024-10-21
5.2.8	26 / 18	2024-09-25
5.2.7	26 / 18	2024-09-15
5.2.6	26 / 18	2024-09-11
5.2.4	26 / 18	2024-08-23
5.2.3	26 / 18	2024-08-14
5.2.2	26 / 18	2024-08-14
5.2.1	25 / 18	2024-08-12
5.1.1	24 / 18	2024-07-25
5.1.0	25 / 19	2024-07-11
5.0.1	25 / 19	2024-07-09
5.0.0	25 / 19	2024-07-04
4.15.0	34 / 11	2024-06-21
4.14.0	34 / 11	2024-06-18
4.13.1	35 / 11	2024-06-11
4.13.0	35 / 11	2024-06-11
4.12.0	35 / 11	2024-06-05
4.11.0	35 / 11	2024-05-30
4.10.1	35 / 11	2024-05-26