@wp-playground/cli
WordPress Playground CLI
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:ps-man | AI (dependencies): Legitimate process-management dep for WP Playground CLI; stable across versions. | ai | |
| dependencies | unvetted-dep:minimisted | AI (dependencies): Argument-parsing utility; consistent with CLI tooling, stable across versions. | ai | |
| source-diff | obfuscated-file:run-cli-C1cUS9na.cjs | AI (source-diff): Standard minified bundle from official WP Playground CI build; SLSA provenance confirms supply chain integrity. | ai | |
| source-diff | obfuscated-file:run-cli-b6r6MAhq.cjs | AI (source-diff): Minified bundle with source maps; readable logic and workspace imports confirm legitimate build artifact. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:pify | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:diff3 | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:crc-32 | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:sha.js | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:xml2js | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Large CLI bundle; deps referenced in bundled config files, not direct imports. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ini | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:clean-git-ref | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@zip.js/zip.js | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:readable-stream | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:fs-ext-extra-prebuilt | AI (phantom-deps): Platform-specific binary package; expected for this CLI tool. | ai | |
| phantom-deps | phantom-dep:octokit | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:async-lock | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:minimisted | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:simple-get | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Same bundled-config pattern; stable false positive. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool legitimately spawns child processes to run local WordPress servers; expected behavior. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): CLI tool legitimately executes shell commands; expected for a WordPress server CLI. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): CLI tool legitimately spawns child processes; expected for a WordPress server CLI. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @wp-playground/cli is the official WordPress Playground CLI; not a typosquat of joi. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 used as default localhost site URL — not a C2 address. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 3.1.35 | 17 / 0 | |
| 3.1.34 | 17 / 0 | |
| 3.1.33 | 17 / 0 | |
| 3.1.32 | 17 / 0 | |
| 3.1.31 | 17 / 0 | |
| 3.1.30 | 17 / 0 | |
| 3.1.29 | 17 / 0 | |
| 3.1.21 | 37 / 0 | |
| 3.1.20 | 37 / 0 | |
| 3.1.19 | 37 / 0 | |
| 3.1.14 | 37 / 0 | |
| 3.0.16 | 36 / 0 | |
| 3.0.13 | 34 / 0 | |
| 3.0.4 | 34 / 0 | |
| 3.0.3 | 34 / 0 | |
| 3.0.1 | 34 / 0 |
v3.1.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.33
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.32
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.31
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.29
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.