@backstage-community/plugin-todo-backend
A Backstage backend plugin that lets you browse TODO comments in your source code
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:leasot | AI (dependencies): leasot is a legitimate TODO-comment parser; its use is the core function of this todo-backend plugin. | ai | |
| phantom-deps | phantom-dep:yn | AI (phantom-deps): yn is a runtime dep used indirectly; phantom-dep heuristic fires but it's legitimately declared. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): Framework-scoped type package; phantom-dep false positive for backend plugins using express. | ai | |
| phantom-deps | phantom-dep:@backstage/catalog-client | AI (phantom-deps): Backstage backend plugin convention; catalog-client is used via DI, not direct import. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 0.21.1 | 13 / 5 | |
| 0.21.0 | 13 / 5 | |
| 0.20.0 | 13 / 5 | |
| 0.19.0 | 13 / 5 | |
| 0.18.1 | 13 / 5 | |
| 0.18.0 | 13 / 5 | |
| 0.17.0 | 13 / 5 | |
| 0.16.0 | 13 / 5 | |
| 0.15.0 | 13 / 5 | |
| 0.14.0 | 13 / 5 | |
| 0.13.0 | 13 / 5 | |
| 0.12.0 | 13 / 5 | |
| 0.11.0 | 13 / 5 | |
| 0.10.0 | 13 / 5 |
v0.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.18.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.