@zowe/cli
Zowe CLI is a command line interface (CLI) that provides a simple and streamlined way to interact with IBM z/OS.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): @zowe/cli is a mature, well-established Zowe project CLI with 481 published versions. Lack of Sigstore provenance is a minor hygiene gap, not a security risk for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs validatePlugins and printSuccessMessage — both are benign CLI utility scripts documented as part of Zowe CLI's install flow. Stable across versions. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @zowe/cli is a well-known scoped package with 2500+ days of history; Levenshtein proximity to 'joi' is a trivial false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of a username field in the daemon IPC client is a standard data-encoding pattern, not an obfuscated payload. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in the daemon enable handler to spawn the Zowe daemon background process — a documented and expected feature of this CLI tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in printSuccessMessage.js is a ts-node fallback for resolving TextUtils at install time — a standard build/dev pattern, not arbitrary module loading. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 8.32.2 | 15 / 6 | |
| 8.32.0 | 15 / 6 | |
| 8.31.2 | 15 / 6 | |
| 8.29.5 | 15 / 7 | |
| 8.29.1 | 15 / 7 | |
| 8.24.2 | 15 / 7 | |
| 8.24.1 | 15 / 7 | |
| 8.23.1 | 15 / 7 | |
| 8.23.0 | 15 / 7 | |
| 8.22.0 | 15 / 7 | |
| 8.21.0 | 15 / 7 | |
| 8.20.0 | 15 / 7 | |
| 7.29.24 | 16 / 6 | |
| 7.29.17 | 16 / 7 |
v8.32.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.32.0
2 findingsScript: node ./scripts/validatePlugins && node ./scripts/printSuccessMessage
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.31.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.29.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.