@budibase/pro
Budibase Pro (Backend)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): christos-budibase is an established Budibase org publisher with strong track record; transition appears legitimate. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): shogunpurple removal is consistent with internal team transition at Budibase. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): christos-budibase is an established Budibase org publisher; team rotation within same org. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/openai | AI (phantom-deps): Newly added AI SDK dep; referenced in config/re-exported rather than directly imported. | ai | |
| phantom-deps | phantom-dep:ai | AI (phantom-deps): ai is a declared runtime dep likely re-exported; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:undici | AI (phantom-deps): undici is declared as a direct dependency in package.json; phantom-dep false positive. | ai | |
| dependencies | unvetted-dep:bull | AI (dependencies): bull is a well-known Redis-based job queue; stable dependency for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Private/proprietary Budibase monorepo package; sparse README and no keywords are expected. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): High-frequency Budibase monorepo package with 2265 versions; dormancy signal is a false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @budibase/pro cannot be a typosquat of 'pg'; Levenshtein match is spurious. | ai | |
| phantom-deps | phantom-dep:bull | AI (phantom-deps): bull is a declared runtime dep used in config/queue setup; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| typosquat | typosquat.levenshtein:pino | AI (typosquat): Scoped package @budibase/pro cannot be a typosquat of 'pino'; Levenshtein match is spurious. | ai |
Versions (showing 100 of 255)
| Version | Deps | Published |
|---|---|---|
| 3.38.5 | 15 / 7 | |
| 3.38.4 | 15 / 7 | |
| 3.38.3 | 15 / 7 | |
| 3.38.2 | 15 / 7 | |
| 3.38.1 | 15 / 7 | |
| 3.38.0 | 15 / 7 | |
| 3.37.5 | 15 / 7 | |
| 3.37.4 | 15 / 7 | |
| 3.37.3 | 15 / 7 | |
| 3.37.2 | 15 / 7 | |
| 3.37.1 | 15 / 7 | |
| 3.37.0 | 15 / 7 | |
| 3.36.5 | 15 / 7 | |
| 3.36.4 | 14 / 7 | |
| 3.36.3 | 14 / 7 | |
| 3.36.2 | 14 / 7 | |
| 3.36.1 | 14 / 7 | |
| 3.35.10 | 14 / 7 | |
| 3.35.3 | 14 / 7 | |
| 3.35.2 | 14 / 7 | |
| 3.35.1 | 14 / 7 | |
| 3.35.0 | 14 / 7 | |
| 3.34.11 | 14 / 7 | |
| 3.34.10 | 14 / 7 | |
| 3.34.9 | 14 / 7 | |
| 3.34.8 | 14 / 7 | |
| 3.34.7 | 14 / 7 | |
| 3.34.6 | 14 / 7 | |
| 3.34.5 | 14 / 7 | |
| 3.34.4 | 16 / 8 | |
| 3.34.3 | 16 / 8 | |
| 3.34.2 | 16 / 9 | |
| 3.34.1 | 16 / 9 | |
| 3.34.0 | 16 / 9 | |
| 3.33.5 | 16 / 9 | |
| 3.33.4 | 16 / 9 | |
| 3.33.3 | 16 / 9 | |
| 3.33.2 | 16 / 9 | |
| 3.33.1 | 16 / 9 | |
| 3.33.0 | 16 / 9 | |
| 3.32.6 | 16 / 9 | |
| 3.32.5 | 16 / 9 | |
| 3.32.4 | 16 / 9 | |
| 3.32.3 | 16 / 9 | |
| 3.32.2 | 16 / 9 | |
| 3.32.1 | 16 / 9 | |
| 3.32.0 | 16 / 9 | |
| 3.31.9 | 16 / 9 | |
| 3.31.8 | 16 / 9 | |
| 3.31.7 | 16 / 9 | |
| 3.31.6 | 16 / 9 | |
| 3.31.5 | 16 / 9 | |
| 3.31.4 | 16 / 9 | |
| 3.31.3 | 14 / 9 | |
| 3.31.2 | 16 / 9 | |
| 3.31.1 | 16 / 9 | |
| 3.31.0 | 16 / 9 | |
| 3.30.6 | 16 / 9 | |
| 3.30.5 | 16 / 9 | |
| 3.30.4 | 16 / 9 | |
| 3.30.3 | 16 / 9 | |
| 3.30.2 | 16 / 9 | |
| 3.30.1 | 16 / 9 | |
| 3.30.0 | 16 / 9 | |
| 3.29.0 | 16 / 9 | |
| 3.28.3 | 17 / 9 | |
| 3.28.2 | 17 / 9 | |
| 3.28.1 | 18 / 9 | |
| 3.28.0 | 18 / 9 | |
| 3.27.5 | 18 / 9 | |
| 3.27.4 | 18 / 9 | |
| 3.27.3 | 18 / 9 | |
| 3.27.2 | 18 / 9 | |
| 3.27.1 | 18 / 9 | |
| 3.27.0 | 18 / 9 | |
| 3.26.3 | 18 / 9 | |
| 3.26.2 | 18 / 9 | |
| 3.26.1 | 18 / 9 | |
| 3.26.0 | 18 / 9 | |
| 3.25.4 | 18 / 9 | |
| 3.25.3 | 18 / 9 | |
| 3.25.2 | 18 / 9 | |
| 3.25.1 | 18 / 9 | |
| 3.25.0 | 18 / 9 | |
| 3.24.8 | 18 / 9 | |
| 3.24.7 | 18 / 9 | |
| 3.24.6 | 18 / 9 | |
| 3.24.5 | 18 / 9 | |
| 3.24.4 | 20 / 9 | |
| 3.24.3 | 20 / 9 | |
| 3.24.2 | 20 / 9 | |
| 3.24.1 | 20 / 9 | |
| 3.24.0 | 20 / 9 | |
| 3.23.48 | 20 / 9 | |
| 3.23.47 | 20 / 9 | |
| 3.23.38 | 20 / 9 | |
| 3.23.37 | 20 / 9 | |
| 3.23.36 | 20 / 9 | |
| 3.23.35 | 20 / 9 | |
| 3.23.34 | 20 / 9 |
v3.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.36.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.36.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.36.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.36.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.36.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.35.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.35.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.35.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.35.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.34.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.10
2 findingsThis version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.6
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.6
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.6
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.5
2 findingsThis version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.4
2 findingsThis version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.3
2 findingsThis version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.6
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.4
2 findingsThis version was published by a different npm account than previous versions on 2026-02-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.3
2 findingsThis version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.29.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.3
2 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.1
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.4
2 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.3
2 findingsThis version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.4
2 findingsThis version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.8
2 findingsThis version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.7
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.6
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.5
2 findingsThis version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.4
2 findingsThis version was published by a different npm account than previous versions on 2026-01-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.48
2 findingsThis version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.47
2 findingsThis version was published by a different npm account than previous versions on 2026-01-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.