@xmtp/convos-cli — Greenflagged

A command-line interface for Convos — privacy-focused messaging built on XMTP

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

xmtp-eng-robotgalligannick-xmtp

Keywords

convosxmtpmessagingprivacyephemeralper-conversation-identity

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): XMTP org migrated publish to GitHub Actions with SLSA attestation; legitimate CI transition.	ai	2026/06/04
provenance	missing-githead	AI (provenance): GitHub Actions publish environment may not inject gitHead; SLSA attestation provides equivalent commit traceability.	ai	2026/06/04
phantom-deps	phantom-dep:@oclif/plugin-autocomplete	AI (phantom-deps): oclif plugins are loaded by framework config, not direct imports; stable FP for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): oclif plugins are loaded by framework config, not direct imports; stable FP for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@noble/curves	AI (phantom-deps): Cryptographic dep likely used transitively or via dynamic import; stable FP for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-warn-if-update-available	AI (phantom-deps): oclif plugins are loaded by framework config, not direct imports; stable FP for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@oclif/plugin-not-found	AI (phantom-deps): oclif plugins are loaded by framework config, not direct imports; stable FP for this package.	ai	2026/04/29

Versions (showing 25 of 25)

Version	Deps	Published
0.10.5	12 / 12	2026-06-05
0.10.4	12 / 12	2026-06-03
0.10.3	14 / 10	2026-05-29
0.10.2	12 / 8	2026-05-28
0.10.1	12 / 8	2026-05-19
0.10.0	12 / 8	2026-05-15
0.9.1	12 / 8	2026-05-08
0.9.0	12 / 8	2026-05-05
0.8.0	12 / 8	2026-05-05
0.7.6	12 / 8	2026-05-03
0.7.4	12 / 8	2026-04-27
0.7.3	12 / 8	2026-04-16
0.7.2	12 / 8	2026-04-15
0.7.1	12 / 8	2026-04-14
0.7.0	12 / 8	2026-03-19
0.6.2	12 / 8	2026-03-18
0.6.0	12 / 8	2026-03-17
0.5.0	12 / 8	2026-03-11
0.4.1	12 / 8	2026-03-10
0.4.0	12 / 8	2026-03-06
0.3.2	12 / 8	2026-02-26
0.3.1	12 / 8	2026-02-21
0.3.0	12 / 8	2026-02-21
0.2.0	12 / 8	2026-02-19
0.1.0	12 / 8	2026-02-19

v0.10.5

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.10.4

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v0.10.3

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: xmtp-eng-robot → GitHub Actions (on 2026-05-29) provenance

This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.