fuma-cli No license 8 versions

fuma-cli

npm Repository Homepage

8

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sonmoosans

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:package-manager-detector	AI (phantom-deps): Used in installer logic; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:zod	AI (phantom-deps): Used in schema validation; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:tinyexec	AI (phantom-deps): Used in build/compiler pipeline; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:oxc-parser	AI (phantom-deps): Core compiler dependency; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:picocolors	AI (phantom-deps): Used in CLI output; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:magic-string	AI (phantom-deps): Used in code transformation; heuristic false positive for this build-tool package.	ai	2026/04/30
phantom-deps	phantom-dep:oxc-resolver	AI (phantom-deps): Core compiler dependency; heuristic false positive for this build-tool package.	ai	2026/04/30
npm-metadata	suspicious-initial-version	AI (npm-metadata): Legitimate initial release from the Fumadocs ecosystem; 0.0.0 is the intentional starting version.	ai	2026/04/30

Versions (showing 8 of 8)

Version	Deps	Published
0.1.1	6 / 6	2026-05-02
0.0.6	7 / 5	2026-04-27
0.0.5	7 / 5	2026-04-11
0.0.4	7 / 5	2026-04-09
0.0.3	7 / 5	2026-04-07
0.0.2	7 / 5	2026-04-07
0.0.1	7 / 5	2026-04-07
0.0.0	7 / 5	2026-04-07

v0.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.