@backstage/plugin-kubernetes
A Backstage plugin that integrates towards Kubernetes
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@xterm/xterm | AI (phantom-deps): Kubernetes plugin legitimately declares transitive deps; stable pattern. | ai | |
| phantom-deps | phantom-dep:@xterm/addon-attach | AI (phantom-deps): Kubernetes plugin legitimately declares transitive deps; stable pattern. | ai | |
| phantom-deps | phantom-dep:@xterm/addon-fit | AI (phantom-deps): Kubernetes plugin legitimately declares transitive deps; stable pattern. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Frontend plugin bundle; js-yaml used for Kubernetes manifest parsing in bundled output. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Frontend plugin bundle; lodash is a standard utility dep consumed via bundled dist. | ai | |
| phantom-deps | phantom-dep:cronstrue | AI (phantom-deps): Frontend plugin bundle; cronstrue used for cron expression display in bundled output. | ai | |
| phantom-deps | phantom-dep:xterm-addon-fit | AI (phantom-deps): Frontend plugin bundle; xterm-addon-fit is a legitimate xterm.js addon for terminal sizing. | ai | |
| phantom-deps | phantom-dep:kubernetes-models | AI (phantom-deps): Frontend plugin bundle; kubernetes-models used for K8s resource type definitions. | ai | |
| phantom-deps | phantom-dep:xterm-addon-attach | AI (phantom-deps): Frontend plugin bundle; xterm-addon-attach used for Kubernetes exec/attach terminal functionality. | ai | |
| phantom-deps | phantom-dep:@kubernetes-models/base | AI (phantom-deps): Frontend plugin bundle; legitimate K8s models base package. | ai | |
| phantom-deps | phantom-dep:@kubernetes/client-node | AI (phantom-deps): Frontend plugin bundle; K8s client used in bundled output. | ai | |
| phantom-deps | phantom-dep:@kubernetes-models/apimachinery | AI (phantom-deps): Frontend plugin bundle; legitimate K8s apimachinery models package. | ai | |
| phantom-deps | phantom-dep:luxon | AI (phantom-deps): Frontend plugin bundle; deps declared in package.json and consumed via bundled dist, not direct ESM imports. | ai | |
| phantom-deps | phantom-dep:xterm | AI (phantom-deps): Frontend plugin bundle; xterm is a legitimate terminal dep for Kubernetes exec functionality. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-kubernetes-react | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-permission-react | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-kubernetes-common | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| provenance | no-provenance | AI (provenance): Established Backstage monorepo package with 2041 days history and 57k weekly downloads; lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| dependencies | unvetted-dep:@backstage/core-plugin-api | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-catalog-react | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| dependencies | unvetted-dep:@backstage/frontend-plugin-api | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai | |
| dependencies | unvetted-dep:@backstage/core-components | AI (dependencies): First-party @backstage/* monorepo dependency; expected and legitimate for this plugin package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.12.19 | 9 / 10 | |
| 0.12.18 | 9 / 10 | |
| 0.12.17 | 9 / 10 | |
| 0.12.16 | 9 / 10 | |
| 0.12.15 | 9 / 10 | |
| 0.12.14 | 9 / 10 | |
| 0.12.13 | 10 / 10 | |
| 0.12.12 | 10 / 10 | |
| 0.12.11 | 21 / 10 | |
| 0.12.10 | 21 / 10 | |
| 0.12.9 | 21 / 10 | |
| 0.12.8 | 21 / 10 | |
| 0.12.7 | 21 / 10 |
v0.12.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.