@beechcms/cms — Greenflagged

Edge-Native, Schema-Driven Headless CMS built on Cloudflare Workers, D1, and R2. Features the Botanical Engine for alias-stable field management, a modular widget layer, and a React + Vite admin dashboard.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

beech-cms

Keywords

cmsheadless-cmscloudflarecloudflare-workersd1edgeschema-drivenapi-firsthonoreactturborepo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): New package; provenance adoption is a maintainer workflow choice, not a version-level blocker.	ai	2026/05/17
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped CMS package; Levenshtein match to 'cors' is incidental, no impersonation intent.	ai	2026/05/10
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped CMS package; Levenshtein match to 'qs' is incidental, no impersonation intent.	ai	2026/05/10
dependencies	unvetted-dep:@beechcms/cli	AI (dependencies): Internal monorepo sibling package under the same @beechcms scope; not a suspicious third-party dep.	ai	2026/05/10

Versions (showing 5 of 5)

Version	Deps	Published
0.5.0	3 / 3	2026-05-22
0.4.3	3 / 3	2026-05-17
0.4.2	3 / 3	2026-05-16
0.4.1	3 / 3	2026-05-08
0.4.0	3 / 3	2026-05-06

v0.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.