instant-cli — Greenflagged

Instant's CLI

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

stopachkanezajdwwdrew-h

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal is consistent with the transition to automated GitHub Actions publishing; SLSA attestation confirms the official repo is the source.	ai	2026/04/26
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation from the official instantdb/instant repo — this reflects a legitimate CI/CD migration, not a compromise.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): Package has SLSA provenance attestation confirming CI/CD publish; dormancy followed by legitimate feature release is consistent with this project's history.	ai	2026/04/26
phantom-deps	phantom-dep:dotenv	AI (phantom-deps): dotenv is a declared dependency used via config files; phantom detection is a false positive for this package.	ai	2026/04/26
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a declared dependency; @commander-js/extra-typings wraps it. Phantom detection is a false positive here.	ai	2026/04/26
phantom-deps	phantom-dep:ansi-escapes	AI (phantom-deps): ansi-escapes is a declared dependency used indirectly; false positive for this package.	ai	2026/04/26
provenance	slsa-provenance	AI (provenance): instant-cli consistently publishes via CI/CD with SLSA provenance; this is a stable supply chain integrity signal for this package.	ai	2026/04/26
dependencies	unvetted-dep:pkg-types	AI (dependencies): pkg-types is a well-maintained UnJS package used by Vite, Nuxt, and many major tools. Not a security concern for this package.	ai	2026/04/26
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in an auth client module is a normal operation for decoding auth tokens/credentials. No obfuscation or malicious payload hiding evident.	ai	2026/04/25
semgrep	semgrep:env-spread	AI (semgrep): Flagged code is in a test helper (__tests__/e2e/helpers.ts) that spreads process.env to pass env vars to a child process — standard CLI test harness pattern, not a runtime risk.	ai	2026/04/25

Versions (showing 51 of 195)

View all versions

Version	Deps	Published
1.0.46	31 / 11	2026-06-09
1.0.45	31 / 11	2026-06-08
1.0.44	31 / 11	2026-06-08
1.0.43	31 / 11	2026-06-03
1.0.42	31 / 11	2026-05-29
1.0.41	31 / 11	2026-05-27
1.0.40	31 / 11	2026-05-26
1.0.39	31 / 11	2026-05-21
1.0.38	31 / 11	2026-05-18
1.0.37	31 / 11	2026-05-18
1.0.36	31 / 11	2026-05-18
1.0.35	31 / 11	2026-05-15
1.0.34	31 / 11	2026-05-15
1.0.33	31 / 11	2026-05-15
1.0.32	31 / 11	2026-05-13
1.0.31	31 / 11	2026-05-13
1.0.30	31 / 11	2026-05-13
1.0.29	31 / 11	2026-05-13
1.0.28	31 / 11	2026-05-12
1.0.27	31 / 11	2026-05-11
1.0.26	31 / 11	2026-05-08
1.0.25	31 / 11	2026-05-07
1.0.24	31 / 11	2026-05-05
1.0.23	31 / 11	2026-05-05
1.0.22	31 / 11	2026-04-30
1.0.21	31 / 11	2026-04-29
1.0.20	31 / 11	2026-04-27
1.0.19	31 / 11	2026-04-27
1.0.18	31 / 11	2026-04-27
1.0.17	31 / 11	2026-04-24
1.0.16	31 / 11	2026-04-24
1.0.15	31 / 11	2026-04-23
1.0.14	31 / 11	2026-04-22
1.0.13	31 / 11	2026-04-21
1.0.12	31 / 11	2026-04-20
1.0.11	31 / 11	2026-04-17
1.0.10	31 / 11	2026-04-17
1.0.9	31 / 11	2026-04-17
1.0.8	31 / 11	2026-04-16
1.0.7	31 / 11	2026-04-16
1.0.6	31 / 11	2026-04-16
1.0.5	30 / 10	2026-04-15
1.0.4	30 / 10	2026-04-14
1.0.3	30 / 10	2026-04-13
1.0.2	30 / 10	2026-04-13
1.0.1	30 / 10	2026-04-11
1.0.0	30 / 10	2026-04-09
0.22.185	30 / 10	2026-04-03
0.22.184	30 / 10	2026-04-03
0.22.183	30 / 10	2026-04-02
0.22.182	30 / 10	2026-04-02