@514labs/moose-lib — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

calliclestimgdelislejonathan514luciofrancogeorgevanderson514bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-peer-dep:ts-patch	AI (dependencies): Peer dependency in optional peer deps; already marked as accepted risk.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): 514labs transitioned from 514bot to GitHub Actions for publishing, confirmed by SLSA provenance attestation. This is a legitimate CI/CD migration, not a compromise.	ai	2026/04/27
maintainer-change	maintainer-added	AI (maintainer-change): luciofranco appears to be a legitimate team member addition within the 514labs org, consistent with the GitHub Actions publishing transition and SLSA attestation.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): @514labs/kafka-javascript is a same-org scoped package, not a third-party injection. Consistent with internal tooling expansion.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Provenance attestation is missing but common across npm ecosystem; not a disqualifier for established packages with clean publisher track records.	ai	2026/04/27
dependencies	unvetted-dep:@confluentinc/kafka-javascript	AI (dependencies): @confluentinc/kafka-javascript is the official Confluent Kafka JS client; legitimate dependency for a data engineering framework like moose-lib.	ai	2026/04/27
phantom-deps	phantom-dep:tsconfig-paths	AI (phantom-deps): tsconfig-paths is used at runtime via ts-node for TypeScript path resolution; not directly imported in source but legitimately needed.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): Package is 695 days old with 4213 versions and a legitimate data engineering framework purpose; missing metadata is a hygiene issue, not a spam/malware indicator.	ai	2026/04/27
dependencies	unvetted-dep:@514labs/kafka-javascript	AI (dependencies): Publisher's own patched fork of kafka-javascript; consistent with the package's data infrastructure focus.	ai	2026/04/26
dependencies	unvetted-dep:@kafkajs/confluent-schema-registry	AI (dependencies): Well-known Confluent Schema Registry client maintained by the KafkaJS org. Legitimate dependency for Kafka-based data pipelines.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/client	AI (dependencies): Temporal.io SDK is a well-known, legitimate workflow orchestration library from Temporal Technologies. Stable dependency for this data infrastructure package.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/common	AI (dependencies): Temporal.io SDK common package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/worker	AI (dependencies): Temporal.io SDK worker package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/activity	AI (dependencies): Temporal.io SDK activity package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/workflow	AI (dependencies): Temporal.io SDK workflow package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@clickhouse/client-web	AI (dependencies): Official ClickHouse browser-compatible client from ClickHouse Inc. Legitimate dependency for a data infrastructure library.	ai	2026/04/26
npm-metadata	no-description	AI (npm-metadata): Automated CI/CD publishing pipeline for an established package; missing description is a cosmetic issue, not a security signal.	ai	2026/04/25
phantom-deps	phantom-dep:@clickhouse/client-web	AI (phantom-deps): ClickHouse web client declared for browser-compatible export path; phantom-dep flag is expected given the conditional export structure.	ai	2026/04/25
phantom-deps	phantom-dep:@temporalio/common	AI (phantom-deps): Temporal common types package declared for type-level usage; phantom-dep flag is expected for type/config dependencies.	ai	2026/04/25
phantom-deps	phantom-dep:fastq	AI (phantom-deps): fastq is a legitimate declared dependency used transitively; phantom-dep flag is a structural note, not a security concern for this package.	ai	2026/04/25

Versions (showing 100 of 576)

Version	Deps	Published
0.6.31	16 / 10	2025-09-05
0.6.30	16 / 10	2025-09-05
0.6.29	16 / 10	2025-09-05
0.6.28	16 / 10	2025-09-04
0.6.27	16 / 10	2025-09-04
0.6.26	16 / 10	2025-09-04
0.6.25	16 / 10	2025-09-03
0.6.24	16 / 10	2025-09-03
0.6.23	16 / 10	2025-09-03
0.6.22	16 / 10	2025-09-03
0.6.21	16 / 10	2025-09-03
0.6.20	16 / 10	2025-09-02
0.6.19	16 / 10	2025-09-02
0.6.18	16 / 10	2025-09-01
0.6.17	16 / 10	2025-08-23
0.6.16	16 / 10	2025-08-23
0.6.15	16 / 10	2025-08-22
0.6.14	16 / 10	2025-08-22
0.6.13	16 / 10	2025-08-22
0.6.12	16 / 10	2025-08-22
0.6.11	16 / 10	2025-08-22
0.6.10	16 / 10	2025-08-22
0.6.9	16 / 10	2025-08-22
0.6.8	16 / 10	2025-08-22
0.6.7	16 / 10	2025-08-21
0.6.6	16 / 10	2025-08-21
0.6.5	16 / 10	2025-08-21
0.6.4	16 / 10	2025-08-21
0.6.3	16 / 10	2025-08-21
0.6.2	16 / 10	2025-08-21
0.6.1	16 / 10	2025-08-20
0.6.0	16 / 10	2025-08-20
0.5.29	16 / 10	2025-08-19
0.5.28	16 / 10	2025-08-19
0.5.27	16 / 10	2025-08-19
0.5.26	16 / 10	2025-08-19
0.5.25	16 / 10	2025-08-18
0.5.24	16 / 10	2025-08-18
0.5.23	16 / 10	2025-08-15
0.5.22	16 / 10	2025-08-15
0.5.21	16 / 10	2025-08-15
0.5.20	16 / 10	2025-08-15
0.5.19	16 / 10	2025-08-15
0.5.18	16 / 10	2025-08-14
0.5.17	16 / 10	2025-08-14
0.5.16	16 / 10	2025-08-13
0.5.15	16 / 10	2025-08-13
0.5.14	16 / 10	2025-08-13
0.5.13	16 / 10	2025-08-12
0.5.12	16 / 10	2025-08-12
0.5.11	16 / 10	2025-08-12
0.5.10	16 / 10	2025-08-11
0.5.9	16 / 10	2025-08-08
0.5.8	16 / 10	2025-08-08
0.5.7	16 / 10	2025-08-08
0.5.6	16 / 10	2025-08-07
0.5.5	16 / 10	2025-08-07
0.5.4	16 / 10	2025-08-06
0.5.3	16 / 10	2025-08-06
0.5.2	16 / 10	2025-08-06
0.5.1	16 / 10	2025-08-05
0.5.0	16 / 10	2025-08-05
0.4.338	16 / 10	2025-08-05
0.4.337	16 / 10	2025-08-05
0.4.336	16 / 10	2025-08-04
0.4.335	16 / 10	2025-08-04
0.4.334	16 / 10	2025-08-04
0.4.333	16 / 10	2025-08-04
0.4.332	16 / 10	2025-08-03
0.4.331	16 / 10	2025-08-03
0.4.330	16 / 10	2025-08-01
0.4.329	16 / 10	2025-08-01
0.4.328	16 / 10	2025-08-01
0.4.327	16 / 10	2025-08-01
0.4.326	16 / 10	2025-07-30
0.4.325	16 / 10	2025-07-30
0.4.324	16 / 10	2025-07-28
0.4.323	16 / 10	2025-07-28
0.4.322	16 / 10	2025-07-28
0.4.321	16 / 10	2025-07-27
0.4.320	16 / 10	2025-07-25
0.4.319	16 / 10	2025-07-25
0.4.318	16 / 10	2025-07-25
0.4.317	16 / 10	2025-07-24
0.4.316	16 / 10	2025-07-24
0.4.315	16 / 10	2025-07-24
0.4.314	16 / 10	2025-07-23
0.4.313	16 / 10	2025-07-23
0.4.312	16 / 10	2025-07-22
0.4.311	16 / 10	2025-07-22
0.4.310	16 / 10	2025-07-21
0.4.309	16 / 10	2025-07-21
0.4.308	16 / 10	2025-07-19
0.4.307	16 / 10	2025-07-18
0.4.306	16 / 10	2025-07-18
0.4.305	16 / 10	2025-07-17
0.4.304	16 / 10	2025-07-17
0.4.303	16 / 10	2025-07-16
0.4.302	16 / 10	2025-07-14
0.4.301	16 / 10	2025-07-12

Showing 100 of 576 Next page →