@tarojs/cli
1
Versions
—
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
yuchexuanzebindefaultleedrchankyjoqq592743779advancedcatbaosiqingzakaryliuzejiavasily.cjjhardenzheng2
Keywords
taroweapp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @tarojs/cli is the official Taro CLI; no resemblance to 'joi' in intent or namespace. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require appears in test files (update.spec.ts) and CLI plugin-loading patterns; expected for this scaffolding tool. | ai | |
| phantom-deps | phantom-dep:ejs | AI (phantom-deps): Template rendering dependency; used indirectly via scaffolding templates, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babylon | AI (phantom-deps): AST tooling dependency used transitively; stable false positive for this CLI package. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): Module resolution utility used transitively; stable false positive for this CLI package. | ai | |
| phantom-deps | phantom-dep:tapable | AI (phantom-deps): Plugin system dependency used transitively via webpack/service layer; stable false positive. | ai | |
| phantom-deps | phantom-dep:regenerator-runtime | AI (phantom-deps): Known implicit runtime dependency for async/generator transpilation; stable false positive. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 3.5.4 | 38 / 0 |