@514labs/moose-lib
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-peer-dep:ts-patch | AI (dependencies): Peer dependency in optional peer deps; already marked as accepted risk. | ai | |
| provenance | publisher-changed | AI (provenance): 514labs transitioned from 514bot to GitHub Actions for publishing, confirmed by SLSA provenance attestation. This is a legitimate CI/CD migration, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): luciofranco appears to be a legitimate team member addition within the 514labs org, consistent with the GitHub Actions publishing transition and SLSA attestation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @514labs/kafka-javascript is a same-org scoped package, not a third-party injection. Consistent with internal tooling expansion. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is missing but common across npm ecosystem; not a disqualifier for established packages with clean publisher track records. | ai | |
| dependencies | unvetted-dep:@confluentinc/kafka-javascript | AI (dependencies): @confluentinc/kafka-javascript is the official Confluent Kafka JS client; legitimate dependency for a data engineering framework like moose-lib. | ai | |
| phantom-deps | phantom-dep:tsconfig-paths | AI (phantom-deps): tsconfig-paths is used at runtime via ts-node for TypeScript path resolution; not directly imported in source but legitimately needed. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is 695 days old with 4213 versions and a legitimate data engineering framework purpose; missing metadata is a hygiene issue, not a spam/malware indicator. | ai | |
| dependencies | unvetted-dep:@514labs/kafka-javascript | AI (dependencies): Publisher's own patched fork of kafka-javascript; consistent with the package's data infrastructure focus. | ai | |
| dependencies | unvetted-dep:@kafkajs/confluent-schema-registry | AI (dependencies): Well-known Confluent Schema Registry client maintained by the KafkaJS org. Legitimate dependency for Kafka-based data pipelines. | ai | |
| dependencies | unvetted-dep:@temporalio/client | AI (dependencies): Temporal.io SDK is a well-known, legitimate workflow orchestration library from Temporal Technologies. Stable dependency for this data infrastructure package. | ai | |
| dependencies | unvetted-dep:@temporalio/common | AI (dependencies): Temporal.io SDK common package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/worker | AI (dependencies): Temporal.io SDK worker package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/activity | AI (dependencies): Temporal.io SDK activity package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/workflow | AI (dependencies): Temporal.io SDK workflow package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@clickhouse/client-web | AI (dependencies): Official ClickHouse browser-compatible client from ClickHouse Inc. Legitimate dependency for a data infrastructure library. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Automated CI/CD publishing pipeline for an established package; missing description is a cosmetic issue, not a security signal. | ai | |
| phantom-deps | phantom-dep:@clickhouse/client-web | AI (phantom-deps): ClickHouse web client declared for browser-compatible export path; phantom-dep flag is expected given the conditional export structure. | ai | |
| phantom-deps | phantom-dep:@temporalio/common | AI (phantom-deps): Temporal common types package declared for type-level usage; phantom-dep flag is expected for type/config dependencies. | ai | |
| phantom-deps | phantom-dep:fastq | AI (phantom-deps): fastq is a legitimate declared dependency used transitively; phantom-dep flag is a structural note, not a security concern for this package. | ai |
Versions (showing 51 of 576)
| Version | Deps | Published |
|---|---|---|
| 0.6.530 | 17 / 12 | |
| 0.6.528 | 17 / 12 | |
| 0.6.526 | 17 / 12 | |
| 0.6.524 | 17 / 12 | |
| 0.6.522 | 17 / 12 | |
| 0.6.521 | 17 / 12 | |
| 0.6.520 | 17 / 12 | |
| 0.6.519 | 17 / 12 | |
| 0.6.517 | 17 / 12 | |
| 0.6.507 | 17 / 12 | |
| 0.6.506 | 17 / 12 | |
| 0.6.504 | 17 / 12 | |
| 0.6.502 | 17 / 12 | |
| 0.6.500 | 17 / 12 | |
| 0.6.497 | 17 / 12 | |
| 0.6.495 | 17 / 12 | |
| 0.6.493 | 17 / 12 | |
| 0.6.490 | 17 / 12 | |
| 0.6.485 | 17 / 12 | |
| 0.6.483 | 17 / 12 | |
| 0.6.482 | 17 / 12 | |
| 0.6.481 | 17 / 12 | |
| 0.6.480 | 17 / 12 | |
| 0.6.476 | 17 / 12 | |
| 0.6.473 | 17 / 12 | |
| 0.6.470 | 17 / 12 | |
| 0.6.469 | 17 / 12 | |
| 0.6.468 | 17 / 12 | |
| 0.6.465 | 17 / 12 | |
| 0.6.462 | 17 / 12 | |
| 0.6.461 | 17 / 12 | |
| 0.6.388 | 17 / 10 | |
| 0.6.368 | 17 / 10 | |
| 0.6.327 | 17 / 10 | |
| 0.6.326 | 17 / 10 | |
| 0.6.315 | 17 / 10 | |
| 0.6.313 | 17 / 10 | |
| 0.6.312 | 17 / 10 | |
| 0.6.310 | 17 / 10 | |
| 0.6.309 | 17 / 10 | |
| 0.6.306 | 17 / 10 | |
| 0.6.304 | 17 / 10 | |
| 0.6.302 | 17 / 10 | |
| 0.6.301 | 17 / 10 | |
| 0.6.300 | 17 / 10 | |
| 0.6.299 | 17 / 10 | |
| 0.6.296 | 17 / 10 | |
| 0.6.290 | 17 / 10 | |
| 0.6.289 | 17 / 10 | |
| 0.6.286 | 17 / 10 | |
| 0.6.285 | 17 / 10 |
v0.6.526
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.524
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.522
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.521
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.520
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.519
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.517
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.507
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.506
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.504
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.502
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.500
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.497
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.495
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.493
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.490
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.485
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.483
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.482
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.481
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.480
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.476
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.473
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.470
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.469
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.468
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.465
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.462
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.461
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.388
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.368
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.327
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.326
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.315
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.313
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.312
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.310
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.309
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.306
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.304
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.302
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.301
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.300
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.299
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.296
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.290
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.289
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.286
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.285
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.