@zuplo/cli — Greenflagged

<p align="center"> <a href="https://zuplo.com"> <img src="https://portal.zuplo.com/zuplo.svg" height="96"> <h3 align="center">Zuplo</h3> </a> </p> <p align="center">Zuplo's API Gateway helps small and large teams get APIs to production that ar

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ntottenzuplo-integrationsvazexqidan-leemoritzs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-SD2N5PY4.js	AI (source-diff): Minified ESM build artifact from bundled @zuplo/runtime; Zuplo copyright header and JWT logic visible; consistent with normal build output.	ai	2026/05/31
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-QZEGTRKY.js	AI (source-diff): Minified ESM bundle from @zuplo/runtime (same org, bundled dep); consistent with normal build output across versions.	ai	2026/05/30
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-WT4H7RKW.js	AI (source-diff): Minified ESM build artifact from bundled @zuplo/runtime; Zuplo copyright header and JWT logic visible; consistent with normal build output.	ai	2026/05/29
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-SQ4CJMPN.js	AI (source-diff): Minified ESM bundle from bundled @zuplo/runtime dep; Zuplo copyright header present, content is standard JWT auth logic.	ai	2026/05/29
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-U763HG2Z.js	AI (source-diff): Minified ESM bundle from bundled @zuplo/runtime dep; Zuplo copyright header and JWT logic visible; consistent with normal build output.	ai	2026/05/29
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-HQB254PW.js	AI (source-diff): Minified ESM bundle from bundled @zuplo/runtime (same org); consistent with normal CLI build output across versions.	ai	2026/05/29
source-diff	obfuscated-file:node_modules/@zuplo/runtime/out/esm/browser-login-idp-HWMCSYMR.js	AI (source-diff): Bundled ESM chunk from @zuplo/runtime (same org); minified build output with Zuplo copyright header, not malicious obfuscation.	ai	2026/05/26
phantom-deps	phantom-dep:js-yaml	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:prettier	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:fast-glob	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:jsonc-parser	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:posthog-node	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:jsonpath-plus	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:javascript-stringify	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/otel	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
source-diff	net-exec-file:node_modules/jsonpath-plus/dist/index-browser-umd.cjs	AI (source-diff): Standard UMD build of jsonpath-plus; dynamic code execution is eval-based JSONPath evaluation, not a dropper.	ai	2026/04/29
source-diff	obfuscated-file:node_modules/prettier/index.cjs	AI (source-diff): Standard minified prettier build bundled inside the tarball; not malicious obfuscation.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/openapi-tools	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/graphql	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/runtime	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/core	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
phantom-deps	phantom-dep:@zuplo/editor	AI (phantom-deps): Same-org bundled dep; listed in bundleDependencies.	ai	2026/04/29
phantom-deps	phantom-dep:ora	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball, not a phantom dep.	ai	2026/04/29
phantom-deps	phantom-dep:jose	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:open	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:pino	AI (phantom-deps): Listed in bundleDependencies; bundled into tarball.	ai	2026/04/29
phantom-deps	phantom-dep:@fastify/static	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:deno	AI (phantom-deps): Legitimate build/runtime dependency for CLI tool; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:execa	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:cookie	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:rimraf	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:fastify	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:as-table	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:@swc/core	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:pino-pretty	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:@fastify/cors	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:fastify-plugin	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:fastify-sse-v2	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:@opentelemetry/api	AI (phantom-deps): Legitimate build/runtime dependency; declared for dynamic invocation or config use.	ai	2026/04/26
phantom-deps	phantom-dep:zod	AI (phantom-deps): Phantom deps are expected in CLI tools; zod is referenced in config files and properly declared.	ai	2026/04/26
phantom-deps	phantom-dep:workerd	AI (phantom-deps): workerd is a known implicit runtime dependency; expected for Zuplo CLI.	ai	2026/04/26
phantom-deps	phantom-dep:esbuild	AI (phantom-deps): esbuild is a known implicit dependency for build/bundling; expected for CLI tools.	ai	2026/04/26
dependencies	unvetted-dep:fastify-sse-v2	AI (dependencies): fastify-sse-v2 is a Fastify SSE plugin; legitimate dependency for local dev server streaming.	ai	2026/04/25
dependencies	unvetted-dep:jsonpath-plus	AI (dependencies): jsonpath-plus is a well-known JSON path library; legitimate dependency.	ai	2026/04/25
dependencies	unvetted-dep:@zuplo/openapi-tools	AI (dependencies): First-party @zuplo scoped package; same organization as the CLI itself.	ai	2026/04/25
dependencies	unvetted-dep:@zuplo/runtime	AI (dependencies): First-party @zuplo scoped package; same organization as the CLI itself.	ai	2026/04/25
dependencies	unvetted-dep:@zuplo/core	AI (dependencies): First-party @zuplo scoped package; same organization as the CLI itself.	ai	2026/04/25
dependencies	unvetted-dep:jose	AI (dependencies): jose is a well-known JWT/JOSE library; legitimate dependency for auth-related CLI features.	ai	2026/04/25
dependencies	unvetted-dep:fastify	AI (dependencies): fastify is a well-known web framework; legitimate dependency for @zuplo/cli's local dev server.	ai	2026/04/25
dependencies	unvetted-dep:workerd	AI (dependencies): workerd is Cloudflare's Workers runtime, a legitimate binary dependency for local dev simulation.	ai	2026/04/25
typosquat	typosquat.levenshtein:joi	AI (typosquat): @zuplo/cli is a scoped package from Zuplo, Inc. — not a typosquat of 'joi'. Levenshtein distance comparison across scoped vs unscoped packages is a false positive here.	ai	2026/04/25
dependencies	unvetted-dep:deno	AI (dependencies): deno is a legitimate runtime binary dependency for @zuplo/cli's local dev server functionality.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Zuplo publishes via GitHub Actions CI/CD; lack of Sigstore provenance is common and not a risk signal for this established package.	ai	2026/04/25
dependencies	unvetted-dep:as-table	AI (dependencies): as-table is a small table-formatting utility; legitimate CLI output dependency.	ai	2026/04/25

Versions (showing 51 of 509)

View all versions

Version	Deps	Published
6.70.66	45 / 0	2026-06-06
6.70.63	45 / 0	2026-06-04
6.70.62	45 / 0	2026-06-03
6.70.61	45 / 0	2026-06-02
6.70.60	45 / 0	2026-06-02
6.70.59	45 / 0	2026-06-01
6.70.57	45 / 0	2026-05-28
6.70.56	45 / 0	2026-05-28
6.70.55	45 / 0	2026-05-27
6.70.53	45 / 0	2026-05-27
6.70.51	45 / 0	2026-05-26
6.70.49	45 / 0	2026-05-25
6.70.48	45 / 0	2026-05-24
6.70.47	45 / 0	2026-05-24
6.70.45	45 / 0	2026-05-22
6.70.43	45 / 0	2026-05-22
6.70.42	45 / 0	2026-05-22
6.70.41	45 / 0	2026-05-21
6.70.40	45 / 0	2026-05-21
6.70.39	45 / 0	2026-05-21
6.70.34	45 / 0	2026-05-19
6.70.33	45 / 0	2026-05-19
6.70.32	45 / 0	2026-05-19
6.70.31	45 / 0	2026-05-18
6.70.30	45 / 0	2026-05-18
6.70.29	45 / 0	2026-05-16
6.70.28	45 / 0	2026-05-15
6.70.27	45 / 0	2026-05-14
6.70.25	45 / 0	2026-05-14
6.70.16	45 / 0	2026-05-13
6.70.15	45 / 0	2026-05-13
6.70.14	45 / 0	2026-05-12
6.70.13	45 / 0	2026-05-12
6.69.6	45 / 0	2026-05-06
6.69.4	45 / 0	2026-05-01
6.69.3	45 / 0	2026-04-30
6.69.1	45 / 0	2026-04-28
6.68.30	45 / 0	2026-04-27
6.68.29	45 / 0	2026-04-24
6.68.28	45 / 0	2026-04-24
6.68.27	45 / 0	2026-04-24
6.68.26	45 / 0	2026-04-24
6.68.25	45 / 0	2026-04-24
6.68.24	45 / 0	2026-04-23
6.68.18	45 / 0	2026-04-18
6.68.17	45 / 0	2026-04-17
6.68.16	45 / 0	2026-04-15
6.68.15	45 / 0	2026-04-15
6.68.10	45 / 0	2026-04-14
6.68.9	45 / 0	2026-04-10
6.68.8	45 / 0	2026-04-09

v6.70.66

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.63

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.62

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.61

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.60

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.59

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.57

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.56

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.55

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.53

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-QZEGTRKY.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.51

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-QZEGTRKY.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.49

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-U763HG2Z.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.48

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-WT4H7RKW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.47

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-WT4H7RKW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.45

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-SQ4CJMPN.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.43

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-SQ4CJMPN.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.42

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-HQB254PW.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.41

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-SD2N5PY4.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.40

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-HWMCSYMR.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.39

2 findings

HIGH New obfuscated file: node_modules/@zuplo/runtime/out/esm/browser-login-idp-HWMCSYMR.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.34

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.33

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.32

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.31

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.30

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.29

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.28

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.27

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.25

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.70.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.69.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.69.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.69.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.68.29

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.28

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.27

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.26

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.25

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.24

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.18

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.17

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.68.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.