@backstage/plugin-notifications
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@material-ui/lab | AI (dependencies): @material-ui/lab is a well-known MUI package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@backstage/ui | AI (phantom-deps): Same-org Backstage dependency; likely used indirectly or through re-exports within the monorepo ecosystem. Not a security concern. | ai | |
| dependencies | unvetted-dep:material-ui-confirm | AI (dependencies): material-ui-confirm is a well-known MUI dialog library; its use in a notifications UI plugin is expected and stable across versions. | ai | |
| dependencies | unvetted-dep:react-relative-time | AI (dependencies): react-relative-time is a small timestamp utility appropriate for a notifications plugin; stable dependency for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Backstage monorepo sub-packages routinely omit standalone descriptions; this is a structural pattern, not a spam/malware indicator. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Backstage monorepo plugins consistently lack standalone keywords/README code blocks; these signals are false positives for this package family. | ai | |
| provenance | no-provenance | AI (provenance): Backstage does not currently publish with Sigstore provenance; absence is expected and consistent across all @backstage/* packages. | ai | |
| phantom-deps | phantom-dep:@backstage/theme | AI (phantom-deps): @backstage/theme is a legitimate peer/transitive dependency in the Backstage ecosystem; phantom detection is a false positive here. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.5.17 | 14 / 11 | |
| 0.5.16 | 13 / 11 | |
| 0.5.15 | 15 / 11 | |
| 0.5.14 | 14 / 11 | |
| 0.5.13 | 14 / 11 | |
| 0.5.12 | 14 / 11 | |
| 0.5.11 | 15 / 11 | |
| 0.5.7 | 17 / 13 | |
| 0.5.6 | 17 / 13 | |
| 0.5.5 | 17 / 13 |
v0.5.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.