@backstage/plugin-org — Greenflagged

A Backstage plugin that helps you create entity pages for your organization

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

patrikofrebenmarcuseide

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): zod is a well-established, widely-used validation library; no malicious history.	ai	2026/04/27
dependencies	unvetted-dep:@backstage/core-plugin-api	AI (dependencies): Core Backstage ecosystem dependency; legitimate and expected for any Backstage frontend plugin.	ai	2026/04/25
dependencies	unvetted-dep:@backstage/plugin-catalog-react	AI (dependencies): Core Backstage ecosystem dependency; legitimate and expected for this plugin.	ai	2026/04/25
dependencies	unvetted-dep:@backstage/plugin-catalog-common	AI (dependencies): Core Backstage ecosystem dependency; legitimate and expected for this plugin.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Official Backstage monorepo plugin with 1965-day history and 88.8k weekly downloads; lack of Sigstore provenance is common and not a risk signal for this established package.	ai	2026/04/25
dependencies	unvetted-dep:@material-ui/lab	AI (dependencies): Well-known Material-UI lab package; standard UI dependency for Backstage plugins using MUI v4.	ai	2026/04/25
dependencies	unvetted-dep:@material-ui/icons	AI (dependencies): Well-known Material-UI icons package; standard UI dependency for Backstage plugins using MUI v4.	ai	2026/04/25
dependencies	unvetted-dep:@remixicon/react	AI (dependencies): Legitimate Remix Icon React library; standard icon dependency with no security concerns.	ai	2026/04/25
dependencies	unvetted-dep:@backstage/ui	AI (dependencies): Official Backstage UI component library; legitimate dependency for Backstage plugins.	ai	2026/04/25

Versions (showing 15 of 15)

Version	Deps	Published
0.7.4	17 / 18	2026-05-19
0.7.3	17 / 18	2026-04-18
0.7.2	17 / 18	2026-04-15
0.7.1	16 / 18	2026-04-14
0.7.0	15 / 18	2026-03-17
0.6.48	14 / 17	2026-01-20
0.6.47	14 / 17	2025-12-16
0.6.46	15 / 17	2025-11-18
0.6.45	15 / 17	2025-10-14
0.6.44	15 / 17	2025-09-16
0.6.43	15 / 17	2025-08-21
0.6.42	15 / 17	2025-08-19
0.6.41	15 / 17	2025-07-15
0.6.40	15 / 17	2025-06-17
0.6.39	15 / 17	2025-05-20

v0.7.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.48

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.47

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.46

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.45

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.44

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.43

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.42

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.41

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.40

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.39

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.