@visulima/cerebro — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

prisis

Keywords

commandlineclassterminalansiclioptsnoptoptionsargsargvinteractivecommanderclapcli-appminimistcommand line appscommand-line-usageoptionparserargumentflaggluegunmeowoclifyargs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/packem_shared/Cerebro-BqHqYEQJ.js	AI (source-diff): Standard packem minified bundle output; readable code with no malicious patterns.	ai	2026/05/11
source-diff	obfuscated-file:dist/packem_shared/help-command-Ddt6rdio.js	AI (source-diff): Standard packem minified bundle output; readable code with no malicious patterns.	ai	2026/05/11
dependencies	unvetted-dep:@visulima/tabular	AI (dependencies): Sibling package from same visulima monorepo/publisher; low independent risk.	ai	2026/05/06
dependencies	unvetted-dep:@visulima/colorize	AI (dependencies): Sibling package from same visulima monorepo/publisher; low independent risk.	ai	2026/05/06
phantom-deps	phantom-dep:fastest-levenshtein	AI (phantom-deps): fastest-levenshtein is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/04/30

Versions (showing 9 of 9)

Version	Deps	Published
2.1.5	3 / 0	2025-11-19
2.1.4	3 / 0	2025-11-13
2.1.2	3 / 0	2025-11-13
2.1.1	3 / 0	2025-11-12
2.1.0	3 / 0	2025-11-07
2.0.3	3 / 0	2025-11-07
2.0.2	3 / 0	2025-11-05
2.0.1	3 / 0	2025-11-05
2.0.0	3 / 0	2025-11-05

v2.1.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.1

3 findings

HIGH New obfuscated file: dist/packem_shared/Cerebro-BqHqYEQJ.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/packem_shared/help-command-Ddt6rdio.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.