@teambit/cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/workspace.modules.workspace-locator | AI (dependencies): First-party @teambit scoped package; consistent with the rest of the dependency tree for this well-established package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established scoped package with clear purpose; missing description is stable pattern. | ai | |
| provenance | no-provenance | AI (provenance): Only ~12% of npm packages have provenance; not a disqualifier for established packages. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.loader | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @teambit/cli package; Levenshtein match to 'joi' is a false positive with no brand impersonation. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.cli.error | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/bit.get-bit-version | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.analytics | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/logger | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Sibling @teambit/* package from the same publisher/ecosystem; stable false positive. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 0.0.1327 | 17 / 6 | |
| 0.0.1326 | 17 / 6 | |
| 0.0.1325 | 17 / 6 | |
| 0.0.1324 | 17 / 6 | |
| 0.0.1323 | 17 / 6 | |
| 0.0.1322 | 17 / 6 | |
| 0.0.1321 | 17 / 6 | |
| 0.0.1320 | 17 / 6 | |
| 0.0.1316 | 17 / 6 | |
| 0.0.1315 | 17 / 6 | |
| 0.0.1314 | 17 / 6 | |
| 0.0.1313 | 17 / 6 | |
| 0.0.1312 | 17 / 6 | |
| 0.0.1311 | 17 / 6 | |
| 0.0.1310 | 16 / 5 | |
| 0.0.1309 | 16 / 5 | |
| 0.0.1308 | 16 / 5 | |
| 0.0.1307 | 16 / 5 | |
| 0.0.1304 | 16 / 5 | |
| 0.0.1301 | 16 / 5 | |
| 0.0.1297 | 16 / 5 | |
| 0.0.1286 | 16 / 5 | |
| 0.0.1285 | 16 / 5 | |
| 0.0.1284 | 16 / 5 | |
| 0.0.1257 | 16 / 5 | |
| 0.0.1256 | 16 / 5 | |
| 0.0.1232 | 18 / 5 | |
| 0.0.1228 | 18 / 5 | |
| 0.0.1189 | 18 / 5 | |
| 0.0.1188 | 18 / 5 | |
| 0.0.1187 | 18 / 5 |
v0.0.1327
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1326
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1325
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1324
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1323
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1322
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1321
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1315
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1310
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1307
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1304
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1301
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1297
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1286
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1285
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1284
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1257
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1256
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1232
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1228
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1189
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1188
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1187
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.