@zowe/imperative EPL-2.0 22 versions

@zowe/imperative

npm Repository Homepage

framework for building configurable CLIs

22

Versions

EPL-2.0

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

joe_winchesterzowerobotmarkackertbroadcom

Keywords

CLIframeworkzowe

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	url-dep:web-help	AI (npm-metadata): web-help is a local file: dev dependency bundled within the monorepo; not a remote URL risk.	ai	2026/05/22
source-diff	large-new-source-files	AI (source-diff): Large file count reflects cross-major-version diff artifact, not injected code.	ai	2026/04/28
publish-pattern	new-deps-added	AI (publish-pattern): Cross-major-version diff; new deps are benign utilities consistent with Zowe CLI framework evolution.	ai	2026/04/28
dependencies	unvetted-dep:lodash-deep	AI (dependencies): lodash-deep is a legitimate utility library; its use in a CLI framework is expected and benign across all versions.	ai	2026/04/26
dependencies	unvetted-dep:markdown-it	AI (dependencies): markdown-it is a well-known markdown parser; its use in Zowe Imperative for web help rendering is expected and benign.	ai	2026/04/26
dependencies	unvetted-dep:dataobject-parser	AI (dependencies): dataobject-parser is a legitimate utility; its use in a CLI config framework is expected and benign.	ai	2026/04/26
phantom-deps	phantom-dep:jsonschema	AI (phantom-deps): Phantom dep in a large monorepo framework; declared for config validation tooling, not a security concern.	ai	2026/04/26
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used to parse HTTP Basic Auth headers — standard authentication handling, not payload obfuscation.	ai	2026/04/25
semgrep	semgrep:eval-usage	AI (semgrep): eval() in EnvQuery.js evaluates internal semver probe expressions for diagnostics; input is from internal config, not arbitrary user input.	ai	2026/04/25
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require of handlerPath is the core plugin/handler loading mechanism of this CLI framework — expected and documented behavior across all versions.	ai	2026/04/25
phantom-deps	phantom-dep:@types/yargs	AI (phantom-deps): @types/* packages are TypeScript type definitions loaded by convention; phantom-dep warnings are expected false positives for this package type.	ai	2026/04/25
phantom-deps	phantom-dep:@types/semver	AI (phantom-deps): @types/* packages are TypeScript type definitions loaded by convention; phantom-dep warnings are expected false positives for this package type.	ai	2026/04/25
semgrep	semgrep:env-bulk-read	AI (semgrep): Iterating process.env to delete CLI-prefixed vars during daemon context cleanup is standard CLI framework behavior in Zowe Imperative; not exfiltration.	ai	2026/04/25

Versions (showing 22 of 22)

Version	Deps	Published
8.32.2	39 / 20	2026-05-21
8.32.0	39 / 20	2026-04-25
8.31.5	38 / 21	2026-04-14
8.31.3	38 / 21	2026-04-03
8.31.2	38 / 21	2026-03-30
8.31.1	38 / 21	2026-03-25
8.30.1	38 / 21	2026-02-20
8.29.11	37 / 21	2026-01-28
8.29.10	37 / 21	2026-01-23
8.29.8	38 / 22	2026-01-07
8.29.6	38 / 22	2025-12-18
8.29.4	38 / 22	2025-11-15
8.29.1	38 / 22	2025-11-10
8.24.2	38 / 22	2025-07-04
8.24.1	38 / 22	2025-06-25
8.23.1	38 / 22	2025-06-12
8.22.0	38 / 22	2025-06-03
8.21.0	38 / 22	2025-05-21
5.27.16	37 / 25	2026-04-08
5.27.15	37 / 25	2026-02-19
5.27.14	37 / 25	2026-01-24
5.27.12	38 / 26	2025-11-17

v8.32.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.32.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.31.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.31.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.31.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.31.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.30.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.29.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.24.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.24.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.23.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.22.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.21.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.27.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.27.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.27.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.27.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.