@514labs/moose-lib
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-peer-dep:ts-patch | AI (dependencies): Peer dependency in optional peer deps; already marked as accepted risk. | ai | |
| provenance | publisher-changed | AI (provenance): 514labs transitioned from 514bot to GitHub Actions for publishing, confirmed by SLSA provenance attestation. This is a legitimate CI/CD migration, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): luciofranco appears to be a legitimate team member addition within the 514labs org, consistent with the GitHub Actions publishing transition and SLSA attestation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @514labs/kafka-javascript is a same-org scoped package, not a third-party injection. Consistent with internal tooling expansion. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is missing but common across npm ecosystem; not a disqualifier for established packages with clean publisher track records. | ai | |
| dependencies | unvetted-dep:@confluentinc/kafka-javascript | AI (dependencies): @confluentinc/kafka-javascript is the official Confluent Kafka JS client; legitimate dependency for a data engineering framework like moose-lib. | ai | |
| phantom-deps | phantom-dep:tsconfig-paths | AI (phantom-deps): tsconfig-paths is used at runtime via ts-node for TypeScript path resolution; not directly imported in source but legitimately needed. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is 695 days old with 4213 versions and a legitimate data engineering framework purpose; missing metadata is a hygiene issue, not a spam/malware indicator. | ai | |
| dependencies | unvetted-dep:@514labs/kafka-javascript | AI (dependencies): Publisher's own patched fork of kafka-javascript; consistent with the package's data infrastructure focus. | ai | |
| dependencies | unvetted-dep:@kafkajs/confluent-schema-registry | AI (dependencies): Well-known Confluent Schema Registry client maintained by the KafkaJS org. Legitimate dependency for Kafka-based data pipelines. | ai | |
| dependencies | unvetted-dep:@temporalio/client | AI (dependencies): Temporal.io SDK is a well-known, legitimate workflow orchestration library from Temporal Technologies. Stable dependency for this data infrastructure package. | ai | |
| dependencies | unvetted-dep:@temporalio/common | AI (dependencies): Temporal.io SDK common package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/worker | AI (dependencies): Temporal.io SDK worker package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/activity | AI (dependencies): Temporal.io SDK activity package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@temporalio/workflow | AI (dependencies): Temporal.io SDK workflow package from Temporal Technologies. Legitimate and stable dependency. | ai | |
| dependencies | unvetted-dep:@clickhouse/client-web | AI (dependencies): Official ClickHouse browser-compatible client from ClickHouse Inc. Legitimate dependency for a data infrastructure library. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Automated CI/CD publishing pipeline for an established package; missing description is a cosmetic issue, not a security signal. | ai | |
| phantom-deps | phantom-dep:@clickhouse/client-web | AI (phantom-deps): ClickHouse web client declared for browser-compatible export path; phantom-dep flag is expected given the conditional export structure. | ai | |
| phantom-deps | phantom-dep:@temporalio/common | AI (phantom-deps): Temporal common types package declared for type-level usage; phantom-dep flag is expected for type/config dependencies. | ai | |
| phantom-deps | phantom-dep:fastq | AI (phantom-deps): fastq is a legitimate declared dependency used transitively; phantom-dep flag is a structural note, not a security concern for this package. | ai |
Versions (showing 76 of 576)
| Version | Deps | Published |
|---|---|---|
| 0.4.200 | 14 / 6 | |
| 0.4.199 | 14 / 6 | |
| 0.4.198 | 14 / 6 | |
| 0.4.197 | 14 / 6 | |
| 0.4.196 | 14 / 6 | |
| 0.4.195 | 13 / 6 | |
| 0.4.194 | 13 / 6 | |
| 0.4.193 | 13 / 6 | |
| 0.4.192 | 13 / 6 | |
| 0.4.191 | 13 / 6 | |
| 0.4.190 | 13 / 6 | |
| 0.4.189 | 13 / 6 | |
| 0.4.188 | 13 / 6 | |
| 0.4.187 | 13 / 6 | |
| 0.4.186 | 13 / 6 | |
| 0.4.185 | 13 / 6 | |
| 0.4.184 | 13 / 6 | |
| 0.4.183 | 13 / 6 | |
| 0.4.182 | 13 / 6 | |
| 0.4.181 | 13 / 6 | |
| 0.4.180 | 13 / 6 | |
| 0.4.179 | 13 / 6 | |
| 0.4.178 | 13 / 6 | |
| 0.4.177 | 13 / 6 | |
| 0.4.176 | 13 / 6 | |
| 0.4.175 | 13 / 6 | |
| 0.4.174 | 13 / 6 | |
| 0.4.173 | 13 / 6 | |
| 0.4.172 | 13 / 6 | |
| 0.4.171 | 13 / 6 | |
| 0.4.170 | 13 / 6 | |
| 0.4.169 | 13 / 6 | |
| 0.4.168 | 13 / 6 | |
| 0.4.167 | 13 / 6 | |
| 0.4.166 | 13 / 6 | |
| 0.4.165 | 13 / 6 | |
| 0.4.164 | 13 / 6 | |
| 0.4.163 | 13 / 6 | |
| 0.4.162 | 13 / 6 | |
| 0.4.161 | 13 / 6 | |
| 0.4.160 | 13 / 6 | |
| 0.4.159 | 13 / 6 | |
| 0.4.158 | 13 / 6 | |
| 0.4.157 | 13 / 6 | |
| 0.4.156 | 13 / 6 | |
| 0.4.155 | 13 / 6 | |
| 0.4.154 | 13 / 6 | |
| 0.4.153 | 13 / 6 | |
| 0.4.152 | 13 / 6 | |
| 0.4.151 | 13 / 6 | |
| 0.4.150 | 13 / 6 | |
| 0.4.149 | 13 / 6 | |
| 0.4.148 | 13 / 6 | |
| 0.4.147 | 13 / 6 | |
| 0.4.146 | 13 / 6 | |
| 0.4.145 | 13 / 6 | |
| 0.4.144 | 13 / 6 | |
| 0.4.143 | 13 / 6 | |
| 0.4.142 | 13 / 6 | |
| 0.4.141 | 13 / 6 | |
| 0.4.140 | 13 / 6 | |
| 0.4.139 | 13 / 6 | |
| 0.4.138 | 13 / 6 | |
| 0.4.137 | 13 / 6 | |
| 0.4.136 | 13 / 6 | |
| 0.4.135 | 13 / 6 | |
| 0.4.134 | 13 / 6 | |
| 0.4.133 | 13 / 6 | |
| 0.4.132 | 13 / 6 | |
| 0.4.131 | 13 / 6 | |
| 0.4.130 | 13 / 6 | |
| 0.4.129 | 13 / 6 | |
| 0.4.128 | 13 / 6 | |
| 0.4.127 | 13 / 6 | |
| 0.4.126 | 13 / 6 | |
| 0.4.125 | 13 / 6 |
v0.4.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.199
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.198
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.197
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.196
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.195
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.194
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.193
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.192
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.191
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.190
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.189
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.188
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.187
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.186
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.185
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.184
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.183
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.182
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.181
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.180
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.179
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.178
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.177
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.176
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.175
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.174
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.173
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.172
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.171
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.170
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.169
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.168
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.167
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.166
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.165
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.164
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.163
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.162
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.161
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.160
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.159
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.158
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.157
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.156
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.155
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.154
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.153
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.152
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.151
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.150
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.149
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.148
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.147
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.146
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.145
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.144
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.143
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.142
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.141
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.140
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.139
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.138
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.137
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.136
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.135
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.134
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.133
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.132
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.131
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.130
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.129
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.128
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.127
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.126
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.125
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.