@supernovaio/cli — Greenflagged

Supernova.io Command Line Interface

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

seva-supernovaartufimtcevsupernova-cisusergiijiritrecakclxsupernovasn-filipdaniskoydus

Keywords

SupernovaDesign SystemsSupernovaioSDKDesign TokensTokensAssetsComponentsDocumentationCMS

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): fs-extra and @types/fs-extra are well-known, widely-used packages with no malicious history.	ai	2026/05/31
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers replaced by other Supernova-org accounts; consistent with org-internal handoff.	ai	2026/05/31
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are all Supernova-org accounts; internal team rotation, not a takeover.	ai	2026/05/31
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publisher is a documented CI/CD migration pattern for this established CLI package.	ai	2026/05/26
dependencies	unvetted-dep:@supernovaio/code-analyzer	AI (dependencies): Same @supernovaio org namespace as the package itself; consistent with CLI tooling purpose.	ai	2026/05/15
provenance	no-provenance	AI (provenance): Established org CLI; no provenance has been a consistent pattern across versions.	ai	2026/05/15
dependencies	unvetted-dep:@supernovaio/sdk	AI (dependencies): First-party Supernova SDK dependency; expected for this CLI package.	ai	2026/04/30
dependencies	unvetted-dep:@hackolade/keytar	AI (dependencies): Keytar fork for credential storage; consistent with CLI auth use case.	ai	2026/04/30
dependencies	unvetted-dep:@supernova-studio/simple-parse-github-url	AI (dependencies): First-party Supernova utility; expected for this CLI package.	ai	2026/04/30
dependencies	unvetted-dep:@supernova-studio/pulsar-language	AI (dependencies): First-party Supernova dependency; expected for this CLI package.	ai	2026/04/30
dependencies	unvetted-dep:@supernova-studio/pulsar-core	AI (dependencies): First-party Supernova dependency; expected for this CLI package.	ai	2026/04/30
phantom-deps	phantom-dep:@supernova-studio/model	AI (phantom-deps): Bundled dep (listed in bundleDependencies); phantom-dep false positive.	ai	2026/04/29
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package @supernovaio/cli; levenshtein match to 'joi' is a false positive — no brand impersonation.	ai	2026/04/29
phantom-deps	phantom-dep:@supernova-studio/simple-parse-github-url	AI (phantom-deps): Bundled dep (listed in bundleDependencies); phantom-dep false positive.	ai	2026/04/29
phantom-deps	phantom-dep:colors	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this CLI package.	ai	2026/04/29
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this CLI package.	ai	2026/04/29
phantom-deps	phantom-dep:ip-cidr	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this CLI package.	ai	2026/04/29
phantom-deps	phantom-dep:minimatch	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this CLI package.	ai	2026/04/29
phantom-deps	phantom-dep:ts-pattern	AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for this CLI package.	ai	2026/04/29
phantom-deps	phantom-dep:@types/fs-extra	AI (phantom-deps): Types package loaded by convention; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@hackolade/keytar	AI (phantom-deps): Loaded indirectly via oclif/keytar integration; phantom-dep false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): oclif plugin loaded by convention via oclif config; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-plugins	AI (phantom-deps): oclif plugin loaded by convention via oclif config; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@sentry/profiling-node	AI (phantom-deps): Sentry profiling loaded at runtime via Sentry integration; stable false positive.	ai	2026/04/29

Versions (showing 14 of 14)

Version	Deps	Published
2.2.2	40 / 27	2026-05-19
2.1.1	36 / 27	2026-04-29
2.1.0	36 / 27	2026-04-27
2.0.49	36 / 27	2026-04-23
2.0.48	36 / 27	2026-04-15
2.0.47	36 / 27	2026-04-15
2.0.46	35 / 27	2026-04-15
2.0.44	35 / 27	2026-04-09
2.0.30	34 / 25	2026-02-11
2.0.27	33 / 25	2026-01-20
2.0.24	33 / 25	2026-01-14
2.0.3	31 / 25	2025-05-02
2.0.2	31 / 25	2025-05-02
2.0.0	31 / 25	2025-05-01

v2.2.2

2 findings

HIGH Publisher changed: susergii → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.49

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.48

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.47

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.46

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.44

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.30

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.27

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.24

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.