steedos-cli
Develop and run your enterprise apps in miniutes
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:request | AI (dependencies): request is a long-standing declared dependency of this CLI; no advisory affecting this version range. | ai | |
| phantom-deps | phantom-dep:request-promise | AI (phantom-deps): request-promise is a declared dep used via config; phantom-dep heuristic fires but it's a stable false positive for this CLI package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived steedos org package with 1578 versions; dormancy likely reflects development cycle, not takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ts-node is a well-known, widely-used TypeScript runtime; low risk for this CLI tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves @steedos/objectql from process.cwd() — intentional peer-dep resolution pattern, stable for this CLI package. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): File-watcher dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:change-case | AI (phantom-deps): Utility dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:compressing | AI (phantom-deps): Utility dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@geek/spinner | AI (phantom-deps): CLI spinner dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:yn | AI (phantom-deps): CLI tool; deps referenced in config/scripts, not direct imports — stable false positive pattern. | ai | |
| phantom-deps | phantom-dep:latest-version | AI (phantom-deps): Version-check dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): Known implicit runtime dep for TypeScript decorators; stable false positive. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-help | AI (phantom-deps): oclif plugin declared in oclif config block; stable false positive. | ai | |
| phantom-deps | phantom-dep:@oclif/config | AI (phantom-deps): oclif framework dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): Same pattern; CLI config reference, not a real phantom dep concern. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): Build/utility dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): Runtime binary dep for TypeScript CLI; stable false positive. | ai | |
| phantom-deps | phantom-dep:archiver | AI (phantom-deps): Utility dep referenced in config; stable false positive. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 3.0.14 | 31 / 3 | |
| 3.0.13 | 31 / 3 | |
| 3.0.12 | 31 / 3 | |
| 3.0.11 | 31 / 3 | |
| 3.0.10 | 31 / 3 | |
| 3.0.9 | 31 / 3 | |
| 3.0.8 | 31 / 3 | |
| 3.0.7 | 31 / 3 | |
| 3.0.6 | 31 / 3 | |
| 3.0.4 | 31 / 3 | |
| 3.0.3 | 31 / 3 | |
| 3.0.2 | 31 / 3 | |
| 3.0.1 | 32 / 3 | |
| 3.0.0 | 32 / 3 | |
| 2.7.31 | 31 / 3 | |
| 2.7.30 | 31 / 3 | |
| 2.7.29 | 31 / 3 | |
| 2.7.28 | 31 / 3 | |
| 2.7.27 | 31 / 3 | |
| 2.7.25 | 31 / 3 | |
| 2.7.24 | 31 / 3 | |
| 2.7.23 | 31 / 3 |
v3.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.