@backstage/plugin-catalog-graph
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Backstage monorepo packages commonly omit description fields; not indicative of malice given clear official provenance. | ai | |
| provenance | no-provenance | AI (provenance): Backstage packages historically publish without Sigstore provenance; consistent across all versions of this package. | ai | |
| dependencies | unvetted-dep:@material-ui/icons | AI (dependencies): Well-known Material-UI icons package, standard dependency for Backstage UI plugins. | ai | |
| dependencies | unvetted-dep:@remixicon/react | AI (dependencies): Established icon library from Remix Icon, legitimate UI dependency for this plugin. | ai | |
| dependencies | unvetted-dep:@backstage/types | AI (dependencies): Official Backstage scoped package, part of the same monorepo ecosystem. Not a security risk. | ai | |
| phantom-deps | phantom-dep:@backstage/catalog-client | AI (phantom-deps): Same-org Backstage package; phantom usage is expected in monorepo builds where indirect usage is common. | ai | |
| phantom-deps | phantom-dep:p-limit | AI (phantom-deps): Common in monorepo-built packages; p-limit may be used in config/build tooling rather than direct imports. | ai | |
| dependencies | unvetted-dep:@material-ui/lab | AI (dependencies): Well-known Material-UI lab package, standard dependency for Backstage UI plugins. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.6.4 | 17 / 14 | |
| 0.6.3 | 18 / 14 | |
| 0.6.2 | 18 / 14 | |
| 0.6.1 | 17 / 14 | |
| 0.5.4 | 15 / 13 | |
| 0.5.3 | 16 / 13 | |
| 0.5.2 | 16 / 13 | |
| 0.5.1 | 16 / 13 | |
| 0.5.0 | 16 / 13 | |
| 0.4.21 | 16 / 13 | |
| 0.4.20 | 16 / 13 | |
| 0.4.19 | 16 / 13 |
v0.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.