@alwaysmeticulous/client
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): 265 versions in registry; package is actively maintained. Dormancy signal is a false positive here. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; missing gitHead is a minor metadata gap, not a supply chain risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal SDK helper package; sparse README and no keywords are expected for monorepo utility packages. | ai |
Versions (showing 15 of 125)
| Version | Deps | Published |
|---|---|---|
| 2.230.0 | 5 / 0 | |
| 2.229.3 | 5 / 0 | |
| 2.229.2 | 5 / 0 | |
| 2.229.1 | 5 / 0 | |
| 2.229.0 | 5 / 0 | |
| 2.228.0 | 6 / 0 | |
| 2.227.1 | 5 / 0 | |
| 2.226.0 | 5 / 0 | |
| 2.225.0 | 5 / 0 | |
| 2.224.0 | 5 / 0 | |
| 2.223.0 | 5 / 0 | |
| 2.221.2 | 5 / 0 | |
| 2.221.0 | 5 / 0 | |
| 2.219.1 | 5 / 0 | |
| 2.219.0 | 5 / 0 |
v2.230.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.229.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.229.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.229.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.229.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.228.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.227.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.226.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.225.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.224.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.223.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v2.221.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.221.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.219.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.219.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.