@tamagui/cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Established Tamagui monorepo package; dormancy likely reflects coordinated monorepo release cadence, not account takeover. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo CLI package; missing description is a consistent pattern across the Tamagui ecosystem, not a malice indicator. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): express is referenced in config/runtime paths; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:url | AI (phantom-deps): url is referenced in config files; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:get-port | AI (phantom-deps): get-port is referenced in config files; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:kill-port | AI (phantom-deps): kill-port is referenced in config files; phantom-dep heuristic is a stable false positive here. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @tamagui/cli is not a typosquat of joi; Levenshtein match is spurious for scoped packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo CLI stub; empty main and missing metadata are normal for @tamagui/* packages. | ai | |
| phantom-deps | phantom-dep:@tamagui/vite-plugin | AI (phantom-deps): Same-org dep used transitively via @tamagui/static; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tamagui/create-theme | AI (phantom-deps): Same-org dep; phantom-dep heuristic fires on indirect usage patterns in monorepo. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): Known implicit binary dependency; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Used as a runtime/binary dep by the CLI; phantom-dep heuristic is a stable false positive. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 21 / 4 | |
| 2.0.0 | 21 / 4 | |
| 1.140.3 | 21 / 3 | |
| 1.139.4 | 21 / 3 | |
| 1.139.0 | 21 / 3 | |
| 1.138.1 | 22 / 3 | |
| 1.138.0 | 22 / 3 | |
| 1.137.1 | 22 / 3 | |
| 1.136.7 | 22 / 3 | |
| 1.136.4 | 22 / 3 | |
| 1.136.3 | 22 / 3 | |
| 1.136.1 | 22 / 3 | |
| 1.136.0 | 22 / 3 |
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.140.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.139.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.139.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.138.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.137.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.