@aws-cdk/cloud-assembly-schema

Schema for the protocol between CDK framework and CDK CLI

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

amzn-ossaws-cdk-team

Keywords

awscdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual AWS CDK team members (eladb, romainmuller, rix0rrr) is consistent with the shift to automated GitHub Actions publishing for this AWS-owned package.	ai	2026/04/22
source-diff	obfuscated-file:lib/integ-tests/commands/common.js	AI (source-diff): Long lines are inline base64 source maps (//# sourceMappingURL=data:application/json;base64,...), not obfuscation. Standard TypeScript compiler output for this AWS CDK package.	ai	2026/04/22
source-diff	obfuscated-file:lib/integ-tests/commands/deploy.js	AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package.	ai	2026/04/22
source-diff	obfuscated-file:lib/integ-tests/test-case.js	AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): AWS CDK migrated publishing to GitHub Actions with SLSA provenance attestation. This is a documented organizational transition, not a compromise. SLSA attestation confirms CI/CD integrity.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): The dynamic require in scripts/update-schema.js loads a hardcoded local JSON version file (cloud-assembly.version.json) via a constant path — no user input or arbitrary module loading. This is a dev/build script, not runtime code.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Published by the well-established aws-cdk-team with 842 approved packages. Lack of Sigstore provenance is acceptable for this trusted publisher.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): AWS CDK schema package; README links are legitimate protocol/framework references, not phishing. Semver reflects monorepo versioning, not inflation.	ai	2026/04/21
dependencies	unvetted-dep:jsonschema	AI (dependencies): jsonschema is a well-known JSON schema validator; bundled dependency with tight version constraint (~1.4.1).	ai	2026/04/21

Versions (showing 100 of 630)

Version	Deps	Published
2.28.0	2 / 8	2022-06-14
2.27.0	2 / 8	2022-06-03
2.26.0	2 / 8	2022-05-30
2.25.0	2 / 8	2022-05-21
2.24.1	2 / 8	2022-05-13
2.24.0	2 / 8	2022-05-12
2.23.0	2 / 8	2022-05-04
2.22.0	2 / 8	2022-04-28
2.21.1	2 / 8	2022-04-23
2.21.0	2 / 8	2022-04-22
2.20.0	2 / 8	2022-04-07
2.19.0	2 / 8	2022-04-01
2.18.0	2 / 8	2022-03-29
2.17.0	2 / 8	2022-03-17
2.16.0	2 / 8	2022-03-12
2.15.0	2 / 8	2022-03-01
2.14.0	2 / 8	2022-02-25
2.13.0	2 / 8	2022-02-19
2.12.0	2 / 8	2022-02-09
2.11.0	2 / 8	2022-02-08
2.10.0	2 / 8	2022-01-29
2.9.0	2 / 8	2022-01-26
2.8.0	2 / 8	2022-01-13
2.7.0	2 / 8	2022-01-12
2.6.0	2 / 8	2022-01-12
2.5.0	2 / 8	2022-01-09
2.4.0	2 / 8	2022-01-06
2.3.0	2 / 8	2021-12-22
2.2.0	2 / 8	2021-12-15
2.1.0	2 / 8	2021-12-08
2.0.0	2 / 8	2021-12-02
1.204.0	2 / 8	2023-06-19
1.203.0	2 / 8	2023-05-31
1.202.0	2 / 8	2023-05-22
1.201.0	2 / 8	2023-05-10
1.200.0	2 / 8	2023-04-26
1.199.0	2 / 8	2023-04-20
1.198.1	2 / 8	2023-03-31
1.198.0	2 / 8	2023-03-22
1.197.0	2 / 8	2023-03-14
1.196.0	2 / 8	2023-03-08
1.195.0	2 / 8	2023-03-02
1.194.0	2 / 8	2023-02-21
1.193.0	2 / 8	2023-02-15
1.192.0	2 / 8	2023-02-09
1.191.0	2 / 8	2023-01-31
1.190.0	2 / 8	2023-01-25
1.189.0	2 / 8	2023-01-19
1.188.0	2 / 8	2023-01-11
1.187.0	2 / 8	2023-01-03
1.186.1	2 / 8	2022-12-30
1.186.0	2 / 8	2022-12-29
1.185.0	2 / 8	2022-12-28
1.184.1	2 / 8	2022-12-23
1.184.0	2 / 8	2022-12-22
1.183.0	2 / 8	2022-12-14
1.182.0	2 / 8	2022-12-07
1.181.1	2 / 8	2022-11-29
1.181.0	2 / 8	2022-11-18
1.180.0	2 / 8	2022-11-01
1.179.0	2 / 8	2022-10-27
1.178.0	2 / 8	2022-10-20
1.177.0	2 / 8	2022-10-14
1.176.0	2 / 8	2022-10-06
1.175.0	2 / 8	2022-09-29
1.174.0	2 / 8	2022-09-22
1.173.0	2 / 8	2022-09-16
1.172.0	2 / 8	2022-09-08
1.171.0	2 / 8	2022-08-31
1.170.1	2 / 8	2022-08-31
1.170.0	2 / 8	2022-08-25
1.169.0	2 / 8	2022-08-18
1.168.0	2 / 8	2022-08-09
1.167.0	2 / 8	2022-08-02
1.166.1	2 / 8	2022-07-29
1.165.0	2 / 8	2022-07-19
1.164.0	2 / 8	2022-07-16
1.163.2	2 / 8	2022-07-14
1.163.1	2 / 8	2022-07-09
1.163.0	2 / 8	2022-07-06
1.162.0	2 / 8	2022-07-01
1.161.0	2 / 8	2022-06-23
1.160.0	2 / 8	2022-06-14
1.159.0	2 / 8	2022-06-03
1.158.0	2 / 8	2022-05-27
1.157.0	2 / 8	2022-05-21
1.156.1	2 / 8	2022-05-13
1.156.0	2 / 8	2022-05-12
1.155.0	2 / 8	2022-05-04
1.154.0	2 / 8	2022-04-28
1.153.1	2 / 8	2022-04-23
1.153.0	2 / 8	2022-04-22
1.152.0	2 / 8	2022-04-07
1.151.0	2 / 8	2022-04-01
1.150.0	2 / 8	2022-03-26
1.149.0	2 / 8	2022-03-17
1.148.0	2 / 8	2022-03-10
1.147.0	2 / 8	2022-03-01
1.146.0	2 / 8	2022-02-25
1.145.0	2 / 8	2022-02-19

Showing 100 of 630 Next page →

v2.28.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.27.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.26.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.25.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.24.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.24.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.23.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.22.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.21.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.21.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.20.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.19.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.18.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.17.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.16.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.15.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.14.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.13.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.12.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.11.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.10.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.204.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.203.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.202.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.201.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.200.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.199.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.198.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.198.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.197.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.196.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.195.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.194.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.193.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.192.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.191.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.190.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.189.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.188.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.187.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.186.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.186.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.185.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.184.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.184.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.183.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.182.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.181.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.181.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.180.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.179.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.178.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.177.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.176.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.175.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.174.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.173.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.172.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.171.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.170.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.170.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.169.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.168.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.167.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.166.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.165.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.164.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.163.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.163.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.163.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.162.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.161.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.160.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.159.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.158.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.157.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.156.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.156.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.155.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.154.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.153.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.153.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.152.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.151.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.150.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.149.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.148.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.147.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.146.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.145.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.