@budibase/pro — Greenflagged

Budibase Pro (Backend)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

melbudibasepclmntjoranamochristos-budibase

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): christos-budibase is an established Budibase org publisher with strong track record; transition appears legitimate.	ai	2026/05/08
maintainer-change	maintainer-removed	AI (maintainer-change): shogunpurple removal is consistent with internal team transition at Budibase.	ai	2026/05/08
maintainer-change	maintainer-added	AI (maintainer-change): christos-budibase is an established Budibase org publisher; team rotation within same org.	ai	2026/05/08
phantom-deps	phantom-dep:@ai-sdk/openai	AI (phantom-deps): Newly added AI SDK dep; referenced in config/re-exported rather than directly imported.	ai	2026/05/04
phantom-deps	phantom-dep:ai	AI (phantom-deps): ai is a declared runtime dep likely re-exported; phantom-dep false positive for this package.	ai	2026/05/04
phantom-deps	phantom-dep:undici	AI (phantom-deps): undici is declared as a direct dependency in package.json; phantom-dep false positive.	ai	2026/05/04
dependencies	unvetted-dep:bull	AI (dependencies): bull is a well-known Redis-based job queue; stable dependency for this package.	ai	2026/05/04
bogus-package	bogus-package	AI (bogus-package): Private/proprietary Budibase monorepo package; sparse README and no keywords are expected.	ai	2026/05/04
publish-pattern	dormant-publish	AI (publish-pattern): High-frequency Budibase monorepo package with 2265 versions; dormancy signal is a false positive for this package.	ai	2026/05/01
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package @budibase/pro cannot be a typosquat of 'pg'; Levenshtein match is spurious.	ai	2026/04/29
phantom-deps	phantom-dep:bull	AI (phantom-deps): bull is a declared runtime dep used in config/queue setup; phantom-dep heuristic fires on indirect usage patterns.	ai	2026/04/29
typosquat	typosquat.levenshtein:pino	AI (typosquat): Scoped package @budibase/pro cannot be a typosquat of 'pino'; Levenshtein match is spurious.	ai	2026/04/29

Versions (showing 55 of 260)

Version	Deps	Published
3.13.21	17 / 13	2025-07-21
3.13.20	17 / 13	2025-07-21
3.13.19	17 / 13	2025-07-18
3.13.18	17 / 13	2025-07-18
3.13.17	17 / 13	2025-07-17
3.13.16	17 / 13	2025-07-14
3.13.15	17 / 13	2025-07-10
3.13.14	17 / 13	2025-07-10
3.13.13	17 / 13	2025-07-10
3.13.12	17 / 13	2025-07-10
3.13.11	17 / 13	2025-07-09
3.13.10	17 / 13	2025-07-07
3.13.9	17 / 13	2025-07-07
3.13.8	17 / 13	2025-07-02
3.13.7	17 / 13	2025-07-02
3.13.6	17 / 13	2025-06-26
3.13.5	17 / 13	2025-06-26
3.13.4	17 / 13	2025-06-26
3.13.3	17 / 13	2025-06-26
3.13.2	17 / 13	2025-06-25
3.13.1	17 / 13	2025-06-25
3.13.0	17 / 13	2025-06-25
3.12.21	17 / 13	2025-06-25
3.12.20	17 / 13	2025-06-24
3.12.19	17 / 13	2025-06-20
3.12.18	17 / 13	2025-06-19
3.12.17	17 / 13	2025-06-19
3.12.16	17 / 13	2025-06-18
3.12.15	17 / 13	2025-06-18
3.12.14	17 / 13	2025-06-17
3.12.13	17 / 13	2025-06-12
3.12.12	17 / 13	2025-06-11
3.12.11	17 / 13	2025-06-11
3.12.10	17 / 13	2025-06-11
3.12.9	17 / 13	2025-06-10
3.12.8	17 / 13	2025-06-03
3.12.7	17 / 13	2025-06-03
3.12.6	17 / 13	2025-05-30
3.12.5	17 / 13	2025-05-29
3.12.4	17 / 13	2025-05-29
3.12.3	17 / 13	2025-05-29
3.12.2	17 / 13	2025-05-29
3.12.1	17 / 13	2025-05-28
3.12.0	17 / 13	2025-05-27
3.11.2	17 / 13	2025-05-19
3.11.1	17 / 13	2025-05-16
3.11.0	17 / 13	2025-05-15
3.10.7	17 / 13	2025-05-15
3.10.6	17 / 13	2025-05-13
3.10.5	16 / 13	2025-05-12
3.10.4	16 / 13	2025-05-09
3.10.3	16 / 13	2025-05-08
3.10.2	16 / 13	2025-05-07
3.10.1	16 / 13	2025-05-07
3.10.0	16 / 13	2025-05-06