@tscircuit/cli
A CLI for developing, managing and publishing tscircuit code (the "npm for tscircuit")
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@tscircuit/circuit-json-schematic-placement-analysis | AI (npm-metadata): SHA-pinned devDep pointing to tscircuit's own org repo; devDeps don't ship to consumers. | ai | |
| npm-metadata | url-dep:circuit-json-trace-length-analysis | AI (npm-metadata): SHA-pinned devDep pointing to tscircuit's own org repo; devDeps don't ship to consumers. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): resvgjs native binaries are expected for SVG/image processing in this EDA CLI; stable pattern across versions. | ai | |
| source-diff | encoded-string-file:dist/cli/main.js | AI (source-diff): Encoded strings are undici's llhttp WASM binary (base64); benign and stable across versions of this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require loads a local package.json for project discovery — standard CLI entrypoint pattern, not an arbitrary code execution risk. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-typescript | AI (phantom-deps): Rollup plugin loaded via config; phantom-dep is expected for scoped plugins loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-node-resolve | AI (phantom-deps): Rollup plugin loaded via config; phantom-dep is expected for scoped plugins loaded by convention. | ai | |
| phantom-deps | phantom-dep:rollup | AI (phantom-deps): Rollup is a build tool referenced in config; phantom-dep is expected for build tools loaded by convention. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-dts | AI (phantom-deps): Rollup plugin loaded via config; phantom-dep is expected for plugins loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-commonjs | AI (phantom-deps): Rollup plugin loaded via config; phantom-dep is expected for scoped plugins loaded by convention. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 1659 versions over 772 days; dormancy finding appears to be a false positive given the extremely active publish cadence. | ai | |
| source-diff | net-exec-file:dist/cli/main.js | AI (source-diff): CLI tool that makes API calls and uses dynamic module loading; network+exec pattern is expected in bundled CLI output for tscircuit. | ai | |
| source-diff | obfuscated-file:dist/cli/main.js | AI (source-diff): dist/cli/main.js is a bun-bundled CLI entry point; long lines are standard bundler output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/lib/index.js | AI (source-diff): The long encoded string is the llhttp WebAssembly binary (base64-encoded WASM) bundled from undici — a standard, legitimate pattern. Not malicious. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @tscircuit/cli is a scoped package in the established tscircuit ecosystem with 772 days of history and 1659 versions. The Levenshtein match to 'joi' is purely coincidental — no impersonation. | ai |
Versions (showing 51 of 1357)
| Version | Deps | Published |
|---|---|---|
| 0.1.1455 | 0 / 68 | |
| 0.1.1454 | 0 / 68 | |
| 0.1.1453 | 0 / 68 | |
| 0.1.1452 | 0 / 68 | |
| 0.1.1451 | 0 / 68 | |
| 0.1.1450 | 0 / 68 | |
| 0.1.1449 | 0 / 68 | |
| 0.1.1448 | 0 / 68 | |
| 0.1.1447 | 0 / 68 | |
| 0.1.1446 | 0 / 68 | |
| 0.1.1445 | 0 / 68 | |
| 0.1.1444 | 0 / 68 | |
| 0.1.1443 | 0 / 68 | |
| 0.1.1442 | 0 / 68 | |
| 0.1.1441 | 0 / 68 | |
| 0.1.1440 | 0 / 68 | |
| 0.1.1439 | 0 / 68 | |
| 0.1.1438 | 0 / 68 | |
| 0.1.1437 | 0 / 68 | |
| 0.1.1436 | 0 / 68 | |
| 0.1.1435 | 0 / 68 | |
| 0.1.1434 | 0 / 68 | |
| 0.1.1433 | 0 / 68 | |
| 0.1.1432 | 0 / 68 | |
| 0.1.1431 | 0 / 68 | |
| 0.1.1430 | 0 / 68 | |
| 0.1.1429 | 0 / 68 | |
| 0.1.1428 | 0 / 68 | |
| 0.1.1427 | 0 / 68 | |
| 0.1.1426 | 0 / 68 | |
| 0.1.1425 | 0 / 68 | |
| 0.1.1424 | 0 / 68 | |
| 0.1.1423 | 0 / 68 | |
| 0.1.1422 | 0 / 68 | |
| 0.1.1421 | 0 / 68 | |
| 0.1.1420 | 0 / 68 | |
| 0.1.1419 | 0 / 68 | |
| 0.1.1418 | 0 / 68 | |
| 0.1.1417 | 0 / 68 | |
| 0.1.1416 | 0 / 68 | |
| 0.1.1415 | 0 / 68 | |
| 0.1.1414 | 0 / 68 | |
| 0.1.1413 | 0 / 68 | |
| 0.1.1412 | 0 / 68 | |
| 0.1.1411 | 0 / 68 | |
| 0.1.1410 | 0 / 68 | |
| 0.1.1409 | 0 / 68 | |
| 0.1.1408 | 0 / 68 | |
| 0.1.1407 | 0 / 68 | |
| 0.1.1406 | 0 / 68 | |
| 0.1.1405 | 0 / 68 |
v0.1.1455
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1454
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1453
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1452
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1451
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1450
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1449
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1448
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1447
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1446
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1445
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1444
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1443
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1442
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1441
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1440
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1439
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1438
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1437
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1436
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1435
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1434
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1433
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1432
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1431
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1430
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1429
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1428
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1427
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1426
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1425
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1424
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1423
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1422
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1421
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1420
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1419
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1418
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1417
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1416
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1415
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1414
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1413
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1412
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1411
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1410
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1409
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1408
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1407
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1406
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1405
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.