@agentuity/workbench
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Missing metadata is a stable characteristic of this org's workbench package, not a spam/malware indicator. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Org package with active maintainer rotation; publisher-changed-known-maintainer INFO confirms huijiro is a legitimate maintainer. | ai | |
| source-diff | obfuscated-file:dist/components/ai-elements/open-in-chat.js | AI (source-diff): Long lines are inlined SVG path data in compiled TSX output, not obfuscation. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-avatar | AI (dependencies): Well-known Radix UI component library; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:bun-plugin-tailwind | AI (dependencies): Build-time Tailwind plugin; referenced in build scripts, not a runtime risk. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-hover-card | AI (dependencies): Well-known Radix UI component library; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@xyflow/react | AI (phantom-deps): Config-level usage in UI workbench. | ai | |
| phantom-deps | phantom-dep:react-hook-form | AI (phantom-deps): Config-level usage in UI workbench. | ai | |
| phantom-deps | phantom-dep:non.geist | AI (phantom-deps): Font package referenced in CSS/config, not imported in JS. | ai | |
| phantom-deps | phantom-dep:@agentuity/react | AI (phantom-deps): Same-org dep; expected in workbench package. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Config/type-level usage in a UI workbench; not a direct import pattern. | ai | |
| phantom-deps | phantom-dep:@hookform/resolvers | AI (phantom-deps): Config-level usage in UI workbench. | ai | |
| phantom-deps | phantom-dep:bun-plugin-tailwind | AI (phantom-deps): Build tool referenced in bun config, not direct JS import. | ai | |
| phantom-deps | phantom-dep:tailwindcss-animate | AI (phantom-deps): CSS plugin referenced in tailwind config, not direct JS import. | ai | |
| phantom-deps | phantom-dep:embla-carousel-react | AI (phantom-deps): Config-level usage in UI workbench. | ai | |
| phantom-deps | phantom-dep:tokenlens | AI (phantom-deps): Utility referenced in config, not direct import. | ai | |
| phantom-deps | phantom-dep:streamdown | AI (phantom-deps): Referenced in config files, consistent with workbench pattern. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/react | AI (phantom-deps): Peer/config-level usage in UI workbench. | ai |
Versions (showing 81 of 81)
| Version | Deps | Published |
|---|---|---|
| 2.0.25 | 28 / 12 | |
| 2.0.23 | 28 / 12 | |
| 2.0.21 | 28 / 12 | |
| 2.0.20 | 28 / 12 | |
| 2.0.18 | 28 / 12 | |
| 2.0.16 | 28 / 12 | |
| 2.0.15 | 28 / 12 | |
| 2.0.13 | 28 / 12 | |
| 2.0.10 | 28 / 12 | |
| 2.0.8 | 28 / 12 | |
| 2.0.7 | 28 / 12 | |
| 2.0.4 | 28 / 12 | |
| 2.0.2 | 28 / 12 | |
| 2.0.1 | 28 / 12 | |
| 2.0.0 | 28 / 12 | |
| 1.0.63 | 28 / 12 | |
| 1.0.61 | 28 / 12 | |
| 1.0.60 | 28 / 12 | |
| 1.0.57 | 28 / 12 | |
| 1.0.53 | 28 / 12 | |
| 1.0.41 | 28 / 12 | |
| 1.0.37 | 28 / 12 | |
| 1.0.36 | 28 / 12 | |
| 1.0.34 | 28 / 12 | |
| 1.0.29 | 28 / 12 | |
| 1.0.28 | 28 / 12 | |
| 1.0.27 | 28 / 12 | |
| 1.0.25 | 28 / 12 | |
| 1.0.24 | 28 / 12 | |
| 1.0.17 | 28 / 12 | |
| 1.0.14 | 28 / 12 | |
| 1.0.13 | 28 / 12 | |
| 1.0.11 | 28 / 12 | |
| 1.0.10 | 28 / 12 | |
| 1.0.7 | 28 / 12 | |
| 1.0.3 | 28 / 12 | |
| 1.0.1 | 28 / 12 | |
| 1.0.0 | 28 / 12 | |
| 0.1.42 | 28 / 12 | |
| 0.1.40 | 28 / 12 | |
| 0.1.39 | 28 / 12 | |
| 0.1.37 | 28 / 12 | |
| 0.1.36 | 28 / 12 | |
| 0.1.35 | 28 / 12 | |
| 0.1.22 | 28 / 12 | |
| 0.1.21 | 28 / 12 | |
| 0.1.16 | 28 / 12 | |
| 0.1.14 | 28 / 12 | |
| 0.1.13 | 28 / 12 | |
| 0.1.9 | 28 / 12 | |
| 0.1.6 | 28 / 12 | |
| 0.1.5 | 28 / 12 | |
| 0.1.3 | 28 / 12 | |
| 0.1.0 | 28 / 12 | |
| 0.0.103 | 28 / 9 | |
| 0.0.102 | 28 / 9 | |
| 0.0.100 | 28 / 8 | |
| 0.0.99 | 28 / 8 | |
| 0.0.98 | 28 / 8 | |
| 0.0.97 | 28 / 8 | |
| 0.0.94 | 29 / 7 | |
| 0.0.92 | 29 / 7 | |
| 0.0.90 | 29 / 7 | |
| 0.0.89 | 29 / 7 | |
| 0.0.86 | 45 / 7 | |
| 0.0.84 | 45 / 7 | |
| 0.0.79 | 45 / 7 | |
| 0.0.76 | 45 / 7 | |
| 0.0.70 | 45 / 7 | |
| 0.0.67 | 45 / 7 | |
| 0.0.64 | 9 / 5 | |
| 0.0.63 | 9 / 5 | |
| 0.0.62 | 9 / 5 | |
| 0.0.61 | 9 / 5 | |
| 0.0.60 | 9 / 5 | |
| 0.0.59 | 9 / 5 | |
| 0.0.58 | 9 / 5 | |
| 0.0.57 | 9 / 5 | |
| 0.0.56 | 2 / 3 | |
| 0.0.55 | 2 / 3 | |
| 0.0.54 | 2 / 3 |
v2.0.25
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (huijiro) than the most recent previously approved version (jhaynie) on 2026-06-01, but huijiro is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.0.23
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (huijiro) than the most recent previously approved version (jhaynie) on 2026-05-29, but huijiro is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.63
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.61
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.60
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.53
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.103
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.102
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.100
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.99
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.98
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.97
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.94
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.92
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.90
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.89
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.86
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.79
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.76
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.70
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.67
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.55
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.54
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.