← Home

@arach/dewey

npm Repository Homepage
9
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arach

Keywords

documentationdocsclireactcomponentsagentsllmmarkdown

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-tripled AI (source-diff): Size growth is consistent with expanded CSS theming (8 color themes) and new React component files in a documentation toolkit; not indicative of injected payload. ai
source-diff large-new-source-files AI (source-diff): 21 new files align with the expanded CSS color themes and component additions visible in the exports map; organic growth for this package. ai
publish-pattern new-deps-added AI (publish-pattern): class-variance-authority is a well-known React component variant utility; addition is consistent with the package's styling system refactor replacing clsx/tailwind-merge. ai
phantom-deps phantom-dep:react-markdown AI (phantom-deps): Declared dependency used via config; common pattern in markdown/docs tools. ai
phantom-deps phantom-dep:remark-gfm AI (phantom-deps): Declared dependency used via config; common pattern in markdown/docs tools. ai
phantom-deps phantom-dep:class-variance-authority AI (phantom-deps): Declared dependency used via config; common pattern in markdown/docs tools. ai
phantom-deps phantom-dep:rehype-slug AI (phantom-deps): Declared dependency used via config; common pattern in markdown/docs tools. ai
phantom-deps phantom-dep:highlight.js AI (phantom-deps): Declared dependency used via config; common pattern in markdown/docs tools. ai

Versions (showing 9 of 9)

Version Deps Published
0.3.6 11 / 11
0.3.5 11 / 11
0.3.4 11 / 11
0.3.3 11 / 11
0.3.2 11 / 11
0.3.1 11 / 11
0.3.0 11 / 11
0.2.0 13 / 8
0.1.0 10 / 8

v0.3.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.