@backstage/plugin-scaffolder-backend
The Backstage backend plugin that helps you create new things
4
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
patrikofrebenmarcuseide
Keywords
backstage
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@backstage/plugin-catalog-backend-module-scaffolder-entity-model | AI (phantom-deps): First-party @backstage scoped module listed as peerModule in backstage config; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-gerrit | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-github | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-gitlab | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-bitbucket | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-bitbucket-cloud | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-bitbucket-server | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:p-limit | AI (phantom-deps): p-limit is declared in package.json and used indirectly; phantom-dep heuristic fires on config references. Stable false positive for this Backstage monorepo plugin. | ai | |
| phantom-deps | phantom-dep:concat-stream | AI (phantom-deps): concat-stream is declared in package.json and used indirectly; phantom-dep heuristic fires on config references. Stable false positive for this Backstage monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-auth-node | AI (phantom-deps): First-party @backstage scoped package declared as dependency; phantom-dep heuristic is a false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-bitbucket-cloud-common | AI (phantom-deps): First-party @backstage scoped package; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-azure | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| phantom-deps | phantom-dep:@backstage/plugin-scaffolder-backend-module-gitea | AI (phantom-deps): First-party @backstage scoped module; phantom-dep is a stable false positive for this monorepo plugin. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a standard observable implementation; legitimate dependency for this Backstage plugin. | ai | |
| dependencies | unvetted-dep:@backstage/backend-plugin-api | AI (dependencies): First-party Backstage package; expected core dependency for any Backstage backend plugin. | ai | |
| phantom-deps | phantom-dep:logform | AI (phantom-deps): logform is a transitive winston dependency commonly referenced in config files; benign for this package. | ai | |
| phantom-deps | phantom-dep:@types/luxon | AI (phantom-deps): Type-only package loaded by framework convention; not a real phantom dependency concern. | ai | |
| provenance | no-provenance | AI (provenance): Established Backstage monorepo package; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:isolated-vm | AI (dependencies): isolated-vm is a legitimate sandboxing library used by Backstage scaffolder for safe template evaluation; expected dependency for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 4.0.0 | 34 / 14 | |
| 3.3.0 | 36 / 14 | |
| 3.2.0 | 36 / 14 | |
| 3.1.5 | 49 / 15 |
v4.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.