@zenstackhq/cli
FullStack database toolkit with built-in access control and automatic API generation.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Standard exec helper pattern; merges caller-supplied env with process.env for child process — not exfiltration. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @zenstackhq/cli is not a plausible typosquat of 'joi'; Levenshtein match is spurious. | ai | |
| phantom-deps | phantom-dep:ts-pattern | AI (phantom-deps): ts-pattern is a declared runtime dep in a bundled CLI; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:@zenstackhq/schema | AI (phantom-deps): Same-org monorepo dep; phantom detection is a false positive for bundled packages. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 3.7.1 | 23 / 12 | |
| 3.7.0 | 23 / 12 | |
| 3.6.4 | 23 / 12 | |
| 3.6.3 | 23 / 12 | |
| 3.6.2 | 23 / 12 | |
| 3.6.1 | 23 / 12 | |
| 3.6.0 | 23 / 12 | |
| 3.5.6 | 23 / 11 | |
| 3.5.5 | 23 / 11 | |
| 3.5.4 | 23 / 11 | |
| 3.5.3 | 23 / 11 | |
| 3.5.2 | 23 / 11 | |
| 3.5.1 | 23 / 11 | |
| 3.5.0 | 23 / 11 | |
| 3.4.6 | 23 / 11 | |
| 3.4.5 | 23 / 11 | |
| 3.4.4 | 23 / 11 | |
| 3.4.3 | 23 / 11 | |
| 3.4.2 | 23 / 11 | |
| 3.4.1 | 23 / 11 | |
| 3.4.0 | 23 / 11 | |
| 3.3.3 | 23 / 11 | |
| 3.3.2 | 23 / 11 | |
| 3.3.1 | 23 / 11 | |
| 3.3.0 | 23 / 11 | |
| 3.2.1 | 15 / 10 | |
| 3.2.0 | 15 / 10 | |
| 3.1.1 | 14 / 10 | |
| 3.1.0 | 14 / 10 | |
| 3.0.0 | 14 / 10 |
v3.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.1
2 findingsSpreading entire process.env into an object — may capture all secrets 7 | export function execSync(cmd: string, options?: Omit<ExecSyncOptions, 'env'> & { env?: Record<string, string> }): void { 8 | const { env, ...restOptions } = options ?? {}; > 9 | const mergedEnv = env ? { ...process.env, ...env } : undefined; 10 | _exec(cmd, { 11 | encoding: 'utf-8',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.0
2 findingsSpreading entire process.env into an object — may capture all secrets 7 | export function execSync(cmd: string, options?: Omit<ExecSyncOptions, 'env'> & { env?: Record<string, string> }): void { 8 | const { env, ...restOptions } = options ?? {}; > 9 | const mergedEnv = env ? { ...process.env, ...env } : undefined; 10 | _exec(cmd, { 11 | encoding: 'utf-8',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
2 findingsSpreading entire process.env into an object — may capture all secrets 7 | export function execSync(cmd: string, options?: Omit<ExecSyncOptions, 'env'> & { env?: Record<string, string> }): void { 8 | const { env, ...restOptions } = options ?? {}; > 9 | const mergedEnv = env ? { ...process.env, ...env } : undefined; 10 | _exec(cmd, { 11 | encoding: 'utf-8',
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.