@availity/workflow
Upgradable workflow for Availity boilerplate projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped; loaded by convention in babel/webpack toolchain. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Lint script uses spawnSync to invoke linter; standard for a workflow/build tool. | ai | |
| phantom-deps | phantom-dep:figures | AI (phantom-deps): CLI display utility; likely used transitively by logger. | ai | |
| phantom-deps | phantom-dep:pretty-ms | AI (phantom-deps): Timing display utility; used transitively in build output. | ai | |
| phantom-deps | phantom-dep:type-is | AI (phantom-deps): MIME type utility; used transitively in dev server config. | ai | |
| phantom-deps | phantom-dep:regenerator-runtime | AI (phantom-deps): Known implicit Babel runtime dependency. | ai | |
| phantom-deps | phantom-dep:sass-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:imports-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:esbuild-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:react-refresh | AI (phantom-deps): Used via @pmmmwh/react-refresh-webpack-plugin config; not directly imported. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in jest.config.js for optional user init file; expected pattern for a configurable workflow tool. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Node polyfill referenced in webpack config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:webpack-sources | AI (phantom-deps): Webpack internal referenced in plugin config; standard workflow tool pattern. | ai | |
| phantom-deps | phantom-dep:jest-environment-jsdom | AI (phantom-deps): Jest environment referenced in config; not directly imported. | ai | |
| phantom-deps | phantom-dep:eslint-config-availity | AI (phantom-deps): ESLint config package loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:babel-plugin-root-import | AI (phantom-deps): Babel plugin referenced in babel config; not directly imported. | ai | |
| phantom-deps | phantom-dep:babel-plugin-jsx-remove-data-test-id | AI (phantom-deps): Babel plugin referenced in babel config; not directly imported. | ai | |
| phantom-deps | phantom-dep:jsdom | AI (phantom-deps): Test environment dependency referenced in jest config; not directly imported. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): settings/index.js filters process.env keys against a known config allowlist; standard config-library pattern. | ai | |
| phantom-deps | phantom-dep:sass | AI (phantom-deps): Build tool that exposes sass as a peer/optional loader; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): PostCSS is a peer dependency used via postcss-loader config; standard build-tool pattern. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader referenced in config, not imported directly; expected for a workflow tool. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader referenced in config; standard workflow tool pattern. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 13.0.2 | 71 / 3 | |
| 13.0.0 | 71 / 3 | |
| 12.2.5 | 79 / 3 | |
| 12.2.4 | 79 / 3 | |
| 12.2.3 | 78 / 3 | |
| 12.2.1 | 78 / 3 |
v13.0.2
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.0
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.5
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.4
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.3
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.1
2 findingsMaintainer email '[email protected]' uses domain 'heatherdev.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.