@backstage/plugin-auth-backend-module-atlassian-provider
The atlassian-provider backend module for the auth plugin.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:passport-atlassian-oauth2 | AI (dependencies): passport-atlassian-oauth2 is the expected OAuth2 strategy for Atlassian auth integration; its use in this plugin is intentional and appropriate across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Official Backstage monorepo package; lack of Sigstore provenance is common and not a disqualifier for this well-established package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-packages in the Backstage project consistently have minimal READMEs and no keywords; this is a structural pattern, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): express is a declared dependency used transitively in Backstage auth plugins; phantom detection is a false positive for this package type. | ai | |
| phantom-deps | phantom-dep:passport | AI (phantom-deps): passport is a declared dependency used transitively in Backstage auth plugins; phantom detection is a false positive for this package type. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.4.15 | 6 / 6 | |
| 0.4.14 | 6 / 6 | |
| 0.4.13 | 6 / 6 | |
| 0.4.12 | 6 / 6 | |
| 0.4.11 | 6 / 6 | |
| 0.4.10 | 6 / 6 | |
| 0.4.9 | 6 / 6 | |
| 0.4.8 | 6 / 6 | |
| 0.4.7 | 6 / 6 | |
| 0.4.6 | 6 / 6 | |
| 0.4.5 | 6 / 6 | |
| 0.4.4 | 6 / 6 | |
| 0.4.3 | 6 / 6 |
v0.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.