@backstage/plugin-scaffolder
The Backstage plugin that helps you create new things
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): Both new deps are legitimate: react-aria-components is Adobe's well-known a11y lib; @backstage/filter-predicates is same-org. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a standard observable library; its use in Backstage scaffolder plugin is legitimate and stable across versions. | ai | |
| dependencies | unvetted-dep:@material-ui/lab | AI (dependencies): @material-ui/lab 4.0.0-alpha.61 is the standard pinned MUI v4 alpha used across Backstage; stable legitimate dependency. | ai | |
| dependencies | unvetted-dep:json-schema-library | AI (dependencies): json-schema-library is a legitimate JSON schema utility; used intentionally by this plugin for schema handling. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-techdocs-common | AI (dependencies): First-party Backstage sibling package from the same monorepo; stable legitimate dependency. | ai | |
| dependencies | unvetted-dep:@backstage/plugin-scaffolder-react | AI (dependencies): First-party Backstage sibling package from the same monorepo; stable legitimate dependency. | ai | |
| phantom-deps | phantom-dep:json-schema-library | AI (phantom-deps): Declared dependency referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@backstage/integration | AI (phantom-deps): Same-org Backstage package; phantom-dep heuristic is unreliable for same-scope packages. | ai | |
| phantom-deps | phantom-dep:json-schema | AI (phantom-deps): Declared in package.json for config-driven use in this large Backstage plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:git-url-parse | AI (phantom-deps): Declared dependency used in config files in this Backstage plugin; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-resizable | AI (phantom-deps): Declared dependency referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@backstage/types | AI (phantom-deps): Same-org Backstage package; phantom-dep heuristic is unreliable for same-scope packages. | ai | |
| phantom-deps | phantom-dep:@rjsf/material-ui | AI (phantom-deps): Declared dependency referenced in config files; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Backstage monorepo publishes via CI without Sigstore provenance; absence is consistent across all versions and not a risk indicator for this package. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 1.37.0 | 49 / 21 | |
| 1.36.2 | 47 / 21 | |
| 1.36.1 | 47 / 21 | |
| 1.36.0 | 45 / 21 | |
| 1.35.4 | 45 / 21 | |
| 1.35.3 | 45 / 21 | |
| 1.35.2 | 45 / 20 | |
| 1.35.1 | 45 / 20 | |
| 1.35.0 | 45 / 20 | |
| 1.34.3 | 46 / 20 | |
| 1.34.2 | 46 / 20 | |
| 1.34.1 | 46 / 20 | |
| 1.34.0 | 44 / 19 | |
| 1.33.0 | 45 / 20 | |
| 1.32.0 | 45 / 20 | |
| 1.31.0 | 45 / 20 |
v1.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.36.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.