@atproto/pds
Reference implementation of atproto Personal Data Server (PDS)
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @atproto/did is a first-party same-org dependency; no supply chain risk. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large atproto monorepo; incremental source file additions are expected across minor releases. | ai | |
| dependencies | unvetted-dep:@did-plc/lib | AI (dependencies): DID PLC library from the same Bluesky ecosystem; expected dependency for a PDS. | ai | |
| dependencies | unvetted-dep:@atproto/xrpc-server | AI (dependencies): Same org scope (@atproto); sibling package in the official monorepo. | ai | |
| dependencies | unvetted-dep:nodemailer-html-to-text | AI (dependencies): Email utility dep; expected for PDS email functionality. | ai | |
| dependencies | unvetted-dep:@atproto-labs/xrpc-utils | AI (dependencies): Same org scope (@atproto-labs); sibling package in the official monorepo. | ai | |
| dependencies | unvetted-dep:@atproto-labs/simple-store-redis | AI (dependencies): Same org scope (@atproto-labs); sibling package in the official monorepo. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Legitimate templating dep for email/HTML in the official atproto PDS; stable usage across versions. | ai | |
| dependencies | unvetted-dep:key-encoder | AI (dependencies): Crypto key encoding utility; expected in a PDS implementation handling cryptographic keys. | ai | |
| dependencies | unvetted-dep:@atproto/aws | AI (dependencies): Same org scope (@atproto); sibling package in the official monorepo. | ai | |
| phantom-deps | phantom-dep:@atproto/xrpc | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic is unreliable for monorepo packages. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @atproto/pds; levenshtein match to bare 'pg' is a false positive. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is standard HTTP Basic Auth credential parsing, not obfuscation. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @atproto/pds; levenshtein match to bare 'qs' is a false positive. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.5.1 | 45 / 19 | |
| 0.5.0 | 44 / 19 | |
| 0.4.225 | 44 / 19 | |
| 0.4.224 | 44 / 19 | |
| 0.4.223 | 44 / 18 | |
| 0.4.222 | 44 / 18 | |
| 0.4.221 | 44 / 18 | |
| 0.4.220 | 44 / 19 | |
| 0.4.219 | 44 / 19 | |
| 0.4.218 | 44 / 19 |
v0.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.225
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.224
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.223
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.222
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.221
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.220
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.219
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.218
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.