There are worse things to mention about OneCLI as it looks like a completely vibe-coded mess, seeing that CLAUDE.md and Claude itself being one of the contributors [0]

Perhaps the most damning discovery is that they don't even do basic dependency pinning [1] [2] which just risks another supply chain attack.

As soon as I saw that, that was everything I needed to know about the project. No security audit whatsoever and Bitwarden believes this is something worth integrating.

[0] https://github.com/onecli/onecli/graphs/contributors

[1] https://github.com/onecli/onecli/blob/main/packages/ui/packa...

[2] https://github.com/onecli/onecli/blob/main/packages/db/packa...