@alwaysmeticulous/api
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; missing gitHead is a minor metadata gap, not a supply chain risk for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions with SLSA provenance attestation; this is an intentional CI/CD publishing transition for this package. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @alwaysmeticulous/api; suffix match against 'hapi' is a stable false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package; suffix match against 'pg' is a stable false positive. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package; suffix match against 'joi' is a stable false positive. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package; suffix match against 'ajv' is a stable false positive. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 2.290.2 | 0 / 0 | |
| 2.290.0 | 0 / 0 | |
| 2.289.1 | 0 / 0 | |
| 2.288.2 | 0 / 0 | |
| 2.288.0 | 0 / 0 | |
| 2.286.0 | 0 / 0 | |
| 2.285.2 | 0 / 0 | |
| 2.285.1 | 0 / 0 | |
| 2.285.0 | 0 / 0 | |
| 2.283.1 | 0 / 0 | |
| 2.280.0 | 0 / 0 | |
| 2.276.2 | 0 / 0 | |
| 2.275.0 | 0 / 0 | |
| 2.274.2 | 0 / 0 | |
| 2.273.0 | 0 / 0 | |
| 2.267.0 | 0 / 0 | |
| 2.264.0 | 0 / 0 | |
| 2.262.0 | 0 / 0 | |
| 2.259.0 | 0 / 0 | |
| 2.257.1 | 0 / 0 | |
| 2.256.0 | 0 / 0 | |
| 2.255.0 | 0 / 0 | |
| 2.254.1 | 0 / 0 | |
| 2.251.1 | 0 / 0 | |
| 2.251.0 | 0 / 0 | |
| 2.250.7 | 0 / 0 | |
| 2.250.6 | 0 / 0 | |
| 2.250.3 | 0 / 0 | |
| 2.250.2 | 0 / 0 | |
| 2.248.14 | 0 / 0 | |
| 2.248.0 | 0 / 0 | |
| 2.246.0 | 0 / 0 | |
| 2.242.6 | 0 / 0 | |
| 2.242.5 | 0 / 0 | |
| 2.242.4 | 0 / 0 | |
| 2.241.0 | 0 / 0 | |
| 2.240.3 | 0 / 0 | |
| 2.239.3 | 0 / 0 | |
| 2.235.2 | 0 / 0 | |
| 2.233.0 | 0 / 0 | |
| 2.232.0 | 0 / 0 | |
| 2.231.0 | 0 / 0 | |
| 2.227.1 | 0 / 0 | |
| 2.225.0 | 0 / 0 | |
| 2.224.0 | 0 / 0 | |
| 2.223.0 | 0 / 0 | |
| 2.221.2 | 0 / 0 | |
| 2.221.0 | 0 / 0 | |
| 2.219.0 | 0 / 0 |
v2.290.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.290.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.289.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.288.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.288.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.286.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.285.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.285.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.285.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.283.1
2 findingsPackage name '@alwaysmeticulous/api' is 1 edit(s) away from popular package 'hapi'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.280.0
2 findingsPackage name '@alwaysmeticulous/api' is 1 edit(s) away from popular package 'hapi'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.276.2
2 findingsPackage name '@alwaysmeticulous/api' is 1 edit(s) away from popular package 'hapi'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.275.0
2 findingsPackage name '@alwaysmeticulous/api' is 1 edit(s) away from popular package 'hapi'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.274.2
2 findingsPackage name '@alwaysmeticulous/api' is 1 edit(s) away from popular package 'hapi'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.273.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.267.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.264.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.262.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.259.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.257.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.256.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.255.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.254.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.251.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.251.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.250.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.250.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.250.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.250.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.248.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.248.0
2 findingsThis version was published by a different npm account than previous versions on 2025-11-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.246.0
2 findingsThis version was published by a different npm account than previous versions on 2025-11-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.242.6
2 findingsThis version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.242.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.242.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.241.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.240.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.239.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.235.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.233.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.232.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.231.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.227.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.225.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.224.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.223.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.221.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.221.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.219.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.