@bubblelab/bubble-runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared dependency likely used transitively or in config; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:patch-package | AI (phantom-deps): patch-package declared as dependency; used in build/patch workflow, not directly imported in source. | ai |
Versions (showing 100 of 300)
| Version | Deps | Published |
|---|---|---|
| 0.1.324 | 7 / 4 | |
| 0.1.323 | 7 / 4 | |
| 0.1.322 | 7 / 4 | |
| 0.1.321 | 7 / 4 | |
| 0.1.320 | 7 / 4 | |
| 0.1.319 | 7 / 4 | |
| 0.1.318 | 7 / 4 | |
| 0.1.317 | 7 / 4 | |
| 0.1.316 | 7 / 4 | |
| 0.1.314 | 7 / 4 | |
| 0.1.313 | 7 / 4 | |
| 0.1.312 | 7 / 4 | |
| 0.1.311 | 7 / 4 | |
| 0.1.310 | 7 / 4 | |
| 0.1.309 | 7 / 4 | |
| 0.1.308 | 7 / 4 | |
| 0.1.307 | 7 / 4 | |
| 0.1.306 | 7 / 4 | |
| 0.1.305 | 7 / 4 | |
| 0.1.304 | 7 / 4 | |
| 0.1.303 | 7 / 4 | |
| 0.1.302 | 7 / 4 | |
| 0.1.301 | 7 / 4 | |
| 0.1.300 | 7 / 4 | |
| 0.1.299 | 7 / 4 | |
| 0.1.298 | 7 / 4 | |
| 0.1.297 | 7 / 4 | |
| 0.1.296 | 7 / 4 | |
| 0.1.295 | 7 / 4 | |
| 0.1.294 | 7 / 4 | |
| 0.1.293 | 7 / 4 | |
| 0.1.292 | 7 / 4 | |
| 0.1.291 | 7 / 4 | |
| 0.1.289 | 7 / 4 | |
| 0.1.288 | 7 / 4 | |
| 0.1.287 | 7 / 4 | |
| 0.1.286 | 7 / 4 | |
| 0.1.285 | 7 / 4 | |
| 0.1.284 | 7 / 4 | |
| 0.1.283 | 7 / 4 | |
| 0.1.282 | 7 / 4 | |
| 0.1.281 | 7 / 4 | |
| 0.1.280 | 7 / 4 | |
| 0.1.279 | 7 / 4 | |
| 0.1.278 | 7 / 4 | |
| 0.1.277 | 7 / 4 | |
| 0.1.276 | 7 / 4 | |
| 0.1.275 | 7 / 4 | |
| 0.1.273 | 7 / 4 | |
| 0.1.272 | 7 / 4 | |
| 0.1.271 | 7 / 4 | |
| 0.1.270 | 7 / 4 | |
| 0.1.269 | 7 / 4 | |
| 0.1.268 | 7 / 4 | |
| 0.1.267 | 7 / 4 | |
| 0.1.266 | 7 / 4 | |
| 0.1.265 | 7 / 4 | |
| 0.1.263 | 7 / 4 | |
| 0.1.262 | 7 / 4 | |
| 0.1.261 | 7 / 4 | |
| 0.1.255 | 7 / 4 | |
| 0.1.254 | 7 / 4 | |
| 0.1.253 | 7 / 4 | |
| 0.1.252 | 7 / 4 | |
| 0.1.251 | 7 / 4 | |
| 0.1.250 | 7 / 4 | |
| 0.1.249 | 7 / 4 | |
| 0.1.248 | 7 / 4 | |
| 0.1.247 | 7 / 4 | |
| 0.1.246 | 7 / 4 | |
| 0.1.245 | 7 / 4 | |
| 0.1.244 | 7 / 4 | |
| 0.1.243 | 7 / 4 | |
| 0.1.242 | 7 / 4 | |
| 0.1.241 | 7 / 4 | |
| 0.1.240 | 7 / 4 | |
| 0.1.239 | 7 / 4 | |
| 0.1.238 | 7 / 4 | |
| 0.1.237 | 7 / 4 | |
| 0.1.236 | 7 / 4 | |
| 0.1.235 | 7 / 4 | |
| 0.1.234 | 7 / 4 | |
| 0.1.233 | 7 / 4 | |
| 0.1.232 | 7 / 4 | |
| 0.1.231 | 7 / 4 | |
| 0.1.230 | 7 / 4 | |
| 0.1.229 | 7 / 4 | |
| 0.1.228 | 7 / 4 | |
| 0.1.227 | 7 / 4 | |
| 0.1.226 | 7 / 4 | |
| 0.1.225 | 7 / 4 | |
| 0.1.224 | 7 / 4 | |
| 0.1.223 | 7 / 4 | |
| 0.1.222 | 7 / 4 | |
| 0.1.221 | 7 / 4 | |
| 0.1.220 | 7 / 4 | |
| 0.1.219 | 7 / 4 | |
| 0.1.218 | 7 / 4 | |
| 0.1.217 | 7 / 4 | |
| 0.1.216 | 7 / 4 |
v0.1.324
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.322
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.321
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.320
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.319
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.318
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.317
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.316
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.312
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.310
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.308
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.307
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.302
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.298
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.297
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.294
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.291
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.289
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.287
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.277
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.273
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.271
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.270
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.269
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.266
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.262
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.261
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.255
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.254
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.253
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.252
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.251
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.250
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.249
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.248
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.247
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.246
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.245
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.244
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.243
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.242
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.241
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.240
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.239
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.238
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.237
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.236
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.235
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.234
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.233
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.232
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.231
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.230
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.229
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.228
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.227
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.226
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.225
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.224
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.223
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.222
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.221
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.220
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.219
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.218
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.217
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.216
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.