Gathering detailed insights and metrics for @oclif/core
Gathering detailed insights and metrics for @oclif/core
Node.js Open CLI Framework. Built by Salesforce.
Installations
npm install @oclif/coreDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=18.0.0
Node Version
22.16.0
NPM Version
10.9.2
Score
88.8
Supply Chain
98.5
Quality
94.6
Maintenance
100
Vulnerability
99.6
License
Releases
422
Languages
2
TypeScript
JavaScript
TypeScript (99.14%)
JavaScript (0.86%)
Developer
Download Statistics
Total Downloads
277,717,565
Last Day
151,078
Last Week
3,014,151
Last Month
12,934,571
Last Year
134,396,174
GitHub Statistics
MIT License
245 Stars
1,648 Commits
77 Forks
6 Watchers
8 Branches
62 Contributors
Updated on Jun 30, 2025
Maintainers
2
Package Meta Information
Latest Version
4.4.0
Package Id
@oclif/core@4.4.0
Unpacked Size
397.92 kB
Size
99.35 kB
File Count
161
NPM Version
10.9.2
Node Version
22.16.0
Published on
Jun 17, 2025
Total Downloads
Cumulative downloads
Total Downloads
277,717,565
Last Day
1.9%
151,078
Compared to previous day
Last Week
-5.4%
3,014,151
Compared to previous week
Last Month
5.1%
12,934,571
Compared to previous month
Last Year
40.4%
134,396,174
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
18
Dev Dependencies
39
@commitlint/config-conventional@eslint/compat@oclif/plugin-help@oclif/plugin-plugins@oclif/prettier-config@oclif/test@types/benchmark@types/chai@types/chai-as-promised@types/clean-stack@types/debug@types/ejs@types/indent-string@types/mocha@types/node@types/pnpapi@types/sinon@types/supports-color@types/wordwrap@types/wrap-ansibenchmarkchaichai-as-promisedcommitlintcross-enveslinteslint-config-oclifeslint-config-prettierhuskylint-stagedmadgemochanycprettiershxsinonts-nodetsdtypescript
oclif: Node.JS Open CLI Framework
🗒 Description
This is a framework for building CLIs in Node.js. This framework was built out of the Salesforce CLI but generalized to build any custom CLI. It's designed both for single-file CLIs with a few flag options (like cat or ls), or for very complex CLIs that have subcommands (like git or heroku).
See the docs for more information.
🚀 Getting Started Tutorial
The Getting Started tutorial is a step-by-step guide to introduce you to oclif. If you have not developed anything in a command line before, this tutorial is a great place to get started.
✨ Features
- Flag/Argument parsing - No CLI framework would be complete without a flag parser. We've built a custom one from years of experimentation that we feel consistently handles user input flexible enough for the user to be able to use the CLI in ways they expect, but without compromising strictness guarantees to the developer.
- Super Speed - The overhead for running an oclif CLI command is almost nothing. It requires very few dependencies (only 28 dependencies in a minimal setup—including all transitive dependencies). Also, only the command to be executed will be required with node. So large CLIs with many commands will load equally as fast as a small one with a single command.
- CLI Generator - Run a single command to scaffold out a fully functional CLI and get started quickly. See Getting Started Tutorial.
- Testing Helpers - We've put a lot of work into making commands easier to test and mock out stdout/stderr. The generator will automatically create scaffolded tests.
- Auto-documentation - By default you can pass
--helpto the CLI to get help such as flag options and argument information. This information is also automatically placed in the README whenever the npm package of the CLI is published. See the hello-world CLI example - Plugins - Using plugins, users of the CLI can extend it with new functionality, a CLI can be split into modular components, and functionality can be shared amongst multiple CLIs. See Building your own plugin.
- Hooks - Use lifecycle hooks to run functionality any time a CLI starts, or on custom triggers. Use this whenever custom functionality needs to be shared between various components of the CLI.
- TypeScript - Everything in the core of oclif is written in TypeScript and the generator will build fully configured TypeScript CLIs. If you use plugins support, the CLI will automatically use
ts-nodeto run the plugins enabling you to use TypeScript with minimal-to-no boilerplate needed for any oclif CLI. - Auto-updating Installers - oclif can package your CLI into different installers that will not require the user to already have node installed on the machine. These can be made auto-updatable by using plugin-update.
- Everything is Customizable - Pretty much anything can be swapped out and replaced inside oclif if needed—including the arg/flag parser.
- Autocomplete - Automatically include autocomplete for your CLI. This includes not only command names and flag names, but flag values as well. For example, it's possible to configure the Heroku CLI to have completions for Heroku app names:
$ heroku info --app=<tab><tab> # will complete with all the Heroku apps a user has in their account
📌 Requirements
Currently, Node 18+ is supported. We support the LTS versions of Node. You can add the node package to your CLI to ensure users are running a specific version of Node.
📌 Migrating
See the v3 migration guide for an overview of breaking changes that occurred between v2 and v3.
See the v2 migration guide for an overview of breaking changes that occurred between v1 and v2.
Migrating from @oclif/config and @oclif/command? See the v1 migration guide.
📌 Documentation
The official oclif website, oclif.io, contains all the documentation you need for developing a CLI with oclif.
If there's anything you'd like to see in the documentation, please submit an issue on the oclif.github.io repo.
🚀 Standalone Usage
We strongly encourage you generate an oclif CLI using the oclif cli. The generator will generate an npm package with @oclif/core as a dependency.
You can, however, use @oclif/core in a standalone script like this:
1#!/usr/bin/env -S node --loader ts-node/esm --no-warnings=ExperimentalWarning 2 3import * as fs from 'fs' 4import {Command, Flags, flush, handle} from '@oclif/core' 5 6class LS extends Command { 7 static description = 'List the files in a directory.' 8 static flags = { 9 version: Flags.version(), 10 help: Flags.help(), 11 dir: Flags.string({ 12 char: 'd', 13 default: process.cwd(), 14 }), 15 } 16 17 async run() { 18 const {flags} = await this.parse(LS) 19 const files = fs.readdirSync(flags.dir) 20 for (const f of files) { 21 this.log(f) 22 } 23 } 24} 25 26LS.run(process.argv.slice(2), { 27 root: import.meta.dirname, 28 // Tell oclif what the contents of the package.json are. 29 // You could also set these in your package.json but specifying 30 // them here is useful if you're attempting to bundle your CLI 31 // without a package.json 32 pjson: { 33 name: 'ls', 34 version: '0.0.1', 35 oclif: { 36 // Tell oclif that this is a single command CLI 37 // See: https://oclif.io/docs/command_discovery_strategies 38 commands: { 39 strategy: 'single', 40 target: 'index.js', 41 }, 42 }, 43 }, 44}).then( 45 async () => { 46 await flush() 47 }, 48 async (err) => { 49 await handle(err) 50 }, 51)
Then run it like this:
1$ ts-node myscript.ts 2...files in current dir...
You can also use oclif's Parser separately:
1// index.js 2import {Args, Flags, Parser} from '@oclif/core' 3 4const {args, flags} = await Parser.parse(process.argv.slice(2), { 5 args: { 6 name: Args.string({required: true}), 7 }, 8 flags: { 9 from: Flags.string({char: 'f', default: 'oclif'}), 10 }, 11}) 12 13console.log(`hello ${args.name} from ${flags.from}`)
$ node index.js world --from oclif
hello world from oclif
NOTE If you're using the Parser class, you will not be able to use the builtin help and version flags since those require the context of an oclif project.
🚀 Contributing
See the contributing guide.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 2/8 approved changesets -- score normalized to 2
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/automerge.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-github-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/external-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/failureNotifications.yml:1
- Warn: no topLevel permission defined: .github/workflows/notify-slack-on-pr-open.yml:1
- Warn: no topLevel permission defined: .github/workflows/onRelease.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/external-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/external-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/external-test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/external-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/external-test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/external-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/external-test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/external-test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/failureNotifications.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/failureNotifications.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/notify-slack-on-pr-open.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/notify-slack-on-pr-open.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/onRelease.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/onRelease.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/onRelease.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/onRelease.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/oclif/core/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:119
- Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 8 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 26 are checked with a SAST tool
Reason
10 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp
- Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Score
4
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More