@superdoc-dev/cli No license 26 versions

@superdoc-dev/cli

npm

LLM-first CLI for deterministic DOCX operations through SuperDoc's Document API.

26

Versions

—

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

falsaadehharbournickcaio-pizzol

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@liveblocks/client	AI (phantom-deps): Same as @liveblocks/yjs — optional integration dep, stable false positive.	ai	2026/05/15
source-diff	encoded-string-file:dist/index.js	AI (source-diff): Encoded string is the entities package HTML decode table (decodeBase64 call) — standard bundled dependency, not obfuscation.	ai	2026/05/15
phantom-deps	phantom-dep:ws	AI (phantom-deps): ws is a declared runtime dep used indirectly via bundled collaborations deps; stable false positive for this CLI package.	ai	2026/05/15
phantom-deps	phantom-dep:happy-dom	AI (phantom-deps): happy-dom declared as runtime dep, used indirectly; stable false positive for this package.	ai	2026/05/15
phantom-deps	phantom-dep:@liveblocks/yjs	AI (phantom-deps): Liveblocks deps are optional collaboration integrations; stable false positive for this CLI.	ai	2026/05/15
phantom-deps	phantom-dep:@superdoc/document-api	AI (phantom-deps): Internal superdoc ecosystem package; declared but used indirectly via config. Stable pattern for this CLI.	ai	2026/04/27
phantom-deps	phantom-dep:yjs	AI (phantom-deps): CLI tool that orchestrates the superdoc ecosystem; these deps are declared for downstream use/config, not direct import. Stable pattern for this package.	ai	2026/04/27
phantom-deps	phantom-dep:fast-glob	AI (phantom-deps): CLI tool that orchestrates the superdoc ecosystem; these deps are declared for downstream use/config, not direct import. Stable pattern for this package.	ai	2026/04/27
phantom-deps	phantom-dep:y-websocket	AI (phantom-deps): CLI tool that orchestrates the superdoc ecosystem; these deps are declared for downstream use/config, not direct import. Stable pattern for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@hocuspocus/provider	AI (phantom-deps): CLI tool that orchestrates the superdoc ecosystem; these deps are declared for downstream use/config, not direct import. Stable pattern for this package.	ai	2026/04/27
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package @superdoc-dev/cli has no semantic relationship to joi; Levenshtein match is a mechanical false positive across completely different domains.	ai	2026/04/26

Versions (showing 26 of 26)

Version	Deps	Published
1.0.3	4 / 6	2026-02-24
1.0.2	4 / 6	2026-02-23
1.0.1	5 / 5	2026-02-23
0.16.0	8 / 7	2026-06-05
0.15.0	8 / 8	2026-05-29
0.14.0	8 / 8	2026-05-27
0.13.1	8 / 8	2026-05-27
0.13.0	8 / 8	2026-05-26
0.12.0	8 / 8	2026-05-22
0.11.0	8 / 8	2026-05-19
0.10.1	8 / 8	2026-05-15
0.10.0	8 / 8	2026-05-15
0.9.0	8 / 8	2026-05-07
0.8.1	8 / 8	2026-05-04
0.8.0	8 / 8	2026-05-01
0.7.0	8 / 8	2026-04-17
0.6.0	8 / 8	2026-04-10
0.5.1	8 / 8	2026-04-02
0.5.0	8 / 8	2026-03-30
0.4.1	8 / 8	2026-03-26
0.4.0	8 / 8	2026-03-24
0.3.2	5 / 7	2026-03-23
0.3.1	5 / 7	2026-03-23
0.3.0	5 / 7	2026-03-20
0.2.0	5 / 7	2026-03-11
0.1.0	0 / 5	2026-02-02

v0.16.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.15.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.14.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: harbournick → caio-pizzol (on 2026-05-22, known maintainer) provenance

This version was published by a different npm account (caio-pizzol) than the most recent previously approved version (harbournick) on 2026-05-22, but caio-pizzol is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.11.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

2 findings

HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.