@bubblelab/bubble-core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:chart.js | AI (phantom-deps): chart.js is a peer/config dep for chartjs-node-canvas; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:zod-to-json-schema | AI (phantom-deps): Schema utility likely used indirectly via LangChain integrations. | ai | |
| phantom-deps | phantom-dep:@types/pg | AI (phantom-deps): TypeScript type package loaded by convention; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@langchain/community | AI (phantom-deps): Config-file reference; stable pattern for this package. | ai |
Versions (showing 64 of 64)
| Version | Deps | Published |
|---|---|---|
| 0.1.324 | 20 / 6 | |
| 0.1.323 | 20 / 6 | |
| 0.1.322 | 20 / 6 | |
| 0.1.321 | 20 / 6 | |
| 0.1.320 | 20 / 6 | |
| 0.1.319 | 20 / 6 | |
| 0.1.318 | 20 / 6 | |
| 0.1.317 | 20 / 6 | |
| 0.1.316 | 20 / 6 | |
| 0.1.314 | 20 / 6 | |
| 0.1.313 | 20 / 6 | |
| 0.1.312 | 20 / 6 | |
| 0.1.311 | 20 / 6 | |
| 0.1.310 | 20 / 6 | |
| 0.1.309 | 20 / 6 | |
| 0.1.308 | 20 / 6 | |
| 0.1.307 | 20 / 6 | |
| 0.1.306 | 20 / 6 | |
| 0.1.305 | 20 / 6 | |
| 0.1.304 | 20 / 6 | |
| 0.1.303 | 20 / 6 | |
| 0.1.302 | 20 / 6 | |
| 0.1.301 | 20 / 6 | |
| 0.1.300 | 20 / 6 | |
| 0.1.299 | 20 / 6 | |
| 0.1.298 | 20 / 6 | |
| 0.1.297 | 20 / 6 | |
| 0.1.296 | 20 / 6 | |
| 0.1.295 | 20 / 6 | |
| 0.1.294 | 20 / 6 | |
| 0.1.293 | 20 / 6 | |
| 0.1.292 | 20 / 6 | |
| 0.1.291 | 20 / 6 | |
| 0.1.289 | 20 / 6 | |
| 0.1.288 | 20 / 6 | |
| 0.1.287 | 20 / 6 | |
| 0.1.286 | 20 / 6 | |
| 0.1.285 | 20 / 6 | |
| 0.1.284 | 20 / 6 | |
| 0.1.283 | 20 / 6 | |
| 0.1.282 | 20 / 6 | |
| 0.1.281 | 20 / 6 | |
| 0.1.280 | 20 / 6 | |
| 0.1.279 | 20 / 6 | |
| 0.1.278 | 20 / 6 | |
| 0.1.277 | 20 / 6 | |
| 0.1.276 | 20 / 6 | |
| 0.1.275 | 20 / 6 | |
| 0.1.273 | 20 / 6 | |
| 0.1.272 | 20 / 6 | |
| 0.1.271 | 20 / 6 | |
| 0.1.270 | 20 / 6 | |
| 0.1.269 | 20 / 6 | |
| 0.1.268 | 20 / 6 | |
| 0.1.267 | 20 / 6 | |
| 0.1.266 | 20 / 6 | |
| 0.1.265 | 20 / 6 | |
| 0.1.263 | 20 / 6 | |
| 0.1.262 | 20 / 6 | |
| 0.1.261 | 20 / 6 | |
| 0.1.8 | 18 / 5 | |
| 0.1.2 | 17 / 5 | |
| 0.1.1 | 17 / 5 | |
| 0.1.0 | 16 / 5 |
v0.1.324
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.322
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.321
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.320
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.319
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.318
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.317
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.316
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.314
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.313
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.312
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.311
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.310
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.309
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.308
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.307
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.306
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.305
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.304
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.303
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.302
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.301
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.300
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.299
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.298
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.297
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.296
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.295
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.294
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.293
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.292
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.291
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.289
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.288
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.287
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.286
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.285
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.284
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.283
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.282
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.281
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.280
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.279
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.278
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.277
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.276
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.275
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.273
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.272
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.271
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.270
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.269
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.268
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.267
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.266
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.265
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.263
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.262
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.261
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.