@11ty/eleventy
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:please-upgrade-node | AI (dependencies): please-upgrade-node is a benign Node.js version-check utility; no security risk for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Template engine legitimately loads user-supplied JSON config files at runtime; stable pattern across versions. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get/has used in standard Proxy handler implementation; not obfuscation. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): chokidar is a declared runtime dependency used for file watching; phantom-dep heuristic false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 3.1.6 | 33 / 32 | |
| 3.1.5 | 33 / 32 | |
| 3.1.2 | 33 / 33 | |
| 3.1.1 | 33 / 32 | |
| 3.1.0 | 33 / 30 |
v3.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.