← Home

@yawlabs/spend

npm Repository Homepage

spend.sh MCP server — AI spend tracking, cost estimation, and provider comparison

6
Versions
SEE LICENSE IN LICENSE
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jeffyaw

Keywords

mcpllmai-spendfinopstokenscostpricingvector-dbinference-hostagent-spendanthropicopenaigeminimodel-context-protocol

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:zod AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:hono AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:pino AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:yaml AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:nanoid AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:ioredis AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:postgres AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:nodemailer AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:js-tiktoken AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:jsonwebtoken AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:@hono/node-server AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:google-auth-library AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:@google-cloud/bigquery AI (phantom-deps): Framework-scoped; stable false positive for this package. ai
phantom-deps phantom-dep:@aws-sdk/client-cost-explorer AI (phantom-deps): Framework-scoped; stable false positive for this package. ai
phantom-deps phantom-dep:@lemonsqueezy/lemonsqueezy.js AI (phantom-deps): Framework-convention loading; stable false positive for this package. ai
phantom-deps phantom-dep:@aws-sdk/client-bedrock-runtime AI (phantom-deps): Framework-scoped; stable false positive for this package. ai

Versions (showing 6 of 6)

Version Deps Published
0.8.8 17 / 11
0.8.7 17 / 11
0.8.6 17 / 11
0.5.0 14 / 11
0.4.1 0 / 25
0.4.0 0 / 25

v0.8.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.