@actions/artifact No license 9 versions

@actions/artifact

npm Repository Homepage

9

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

bryanmacfarlanethboopericsciplebdehamer

Keywords

githubactionsartifact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation confirms CI/CD publish from official GitHub Actions org; dormancy explained by major rewrite.	ai	2026/05/08
phantom-deps	phantom-dep:tmp	AI (phantom-deps): tmp is a declared runtime dep used indirectly via tmp-promise; phantom-dep heuristic is a false positive here.	ai	2026/05/08
dependencies	unvetted-dep:@protobuf-ts/plugin	AI (dependencies): Build-time protobuf codegen tool; phantom-dep analysis confirms it is not directly imported at runtime. Stable pattern for this package.	ai	2026/05/08
phantom-deps	phantom-dep:@azure/core-http	AI (phantom-deps): Framework-scoped Azure SDK package loaded by convention; stable false positive for this package.	ai	2026/05/08
phantom-deps	phantom-dep:@octokit/request-error	AI (phantom-deps): Transitive octokit dep declared for version pinning; stable false positive for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@protobuf-ts/plugin	AI (phantom-deps): Build-time protobuf generator; declared as dep but used only in build config, not directly imported at runtime.	ai	2026/05/04
phantom-deps	phantom-dep:@octokit/request	AI (phantom-deps): Transitive octokit dep declared for version pinning; stable false positive for this package.	ai	2026/05/04

Versions (showing 9 of 9)

Version	Deps	Published
6.2.1	14 / 5	2026-03-11
6.2.0	14 / 5	2026-02-25
6.1.0	14 / 5	2026-01-30
6.0.0	14 / 5	2026-01-29
5.0.3	13 / 5	2026-01-27
5.0.2	13 / 5	2026-01-08
5.0.1	13 / 5	2025-12-12
5.0.0	14 / 5	2025-12-11
1.1.3	4 / 2	2026-03-16

v6.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.