@zibby/cli
Zibby CLI - Test automation generator and runner
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@zibby/agent-workflow | AI (phantom-deps): Same-org scoped package; phantom-dep heuristic unreliable here. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New workflow/creds commands added; consistent with CLI feature growth. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/validate.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/validate-helpers.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/utils/session-uploader.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/schedule.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/run-local.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/creds.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/cloud-creds-check.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/workflows/agent-helpers.js | AI (source-diff): esbuild bundle output, not obfuscation; readable imports and logic throughout. | ai | |
| source-diff | obfuscated-file:dist/commands/chat-agents.js | AI (source-diff): esbuild bundle output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/commands/app-solo.js | AI (source-diff): esbuild-minified CLI bundle; samples show benign config/API logic, no exfiltration or shell exec. | ai | |
| source-diff | obfuscated-file:dist/commands/mcp.js | AI (source-diff): esbuild-minified CLI bundle; samples show benign MCP config logic, no exfiltration or shell exec. | ai | |
| source-diff | obfuscated-file:dist/commands/app.js | AI (source-diff): esbuild-minified CLI bundle; samples show benign config/API logic, no exfiltration or shell exec. | ai | |
| phantom-deps | phantom-dep:cronstrue | AI (phantom-deps): CLI tool with bundled dist; phantom-dep heuristic unreliable for bundled packages. | ai | |
| phantom-deps | phantom-dep:adm-zip | AI (phantom-deps): Bundled CLI; deps used in dist output not directly imported in source files. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Declared runtime dep; false positive. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/client-sqs | AI (phantom-deps): Framework-scoped AWS SDK; bundled CLI pattern. | ai | |
| phantom-deps | phantom-dep:@zibby/workflow | AI (phantom-deps): Same org scope; bundled CLI pattern. | ai | |
| phantom-deps | phantom-dep:cli-highlight | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:handlebars | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:inquirer | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:mem0ai | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:tar | AI (phantom-deps): Bundled CLI; deps resolved at build time. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @zibby/cli is a scoped CLI tool with no relation to joi; Levenshtein match is coincidental. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Bundled CLI; deps resolved at build time, not directly imported in source. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 0.6.0 | 21 / 2 | |
| 0.5.6 | 21 / 2 | |
| 0.4.26 | 21 / 2 | |
| 0.4.21 | 20 / 2 | |
| 0.4.18 | 20 / 2 | |
| 0.4.13 | 19 / 2 | |
| 0.4.7 | 19 / 2 | |
| 0.4.0 | 19 / 2 | |
| 0.3.0 | 19 / 2 | |
| 0.1.78 | 19 / 2 | |
| 0.1.73 | 18 / 2 | |
| 0.1.70 | 18 / 2 | |
| 0.1.58 | 18 / 2 | |
| 0.1.40 | 17 / 2 | |
| 0.1.38 | 17 / 2 | |
| 0.1.37 | 17 / 2 | |
| 0.1.29 | 17 / 2 | |
| 0.1.28 | 17 / 2 | |
| 0.1.27 | 17 / 2 |
v0.6.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
12 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.70
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.