@budibase/worker — Greenflagged

Budibase background service

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

melbudibasepclmntjoranamochristos-budibase

Keywords

budibase

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@govtechsg/passport-openidconnect	AI (dependencies): GovTech SG OIDC passport strategy replacing @techpass/passport-openidconnect; routine upstream rename.	ai	2026/05/04
phantom-deps	phantom-dep:@govtechsg/passport-openidconnect	AI (phantom-deps): Bundled service; config-file reference pattern is expected.	ai	2026/05/04
dependencies	unvetted-dep:passport-google-oauth	AI (dependencies): Well-known Passport.js OAuth strategy; expected auth dependency for this package.	ai	2026/05/04
dependencies	unvetted-dep:pouchdb-all-dbs	AI (dependencies): Standard PouchDB plugin used in Budibase's DB layer; consistent across versions.	ai	2026/05/04
dependencies	unvetted-dep:@techpass/passport-openidconnect	AI (dependencies): OIDC passport strategy used for SSO; consistent with Budibase's auth features.	ai	2026/05/04
phantom-deps	phantom-dep:undici	AI (phantom-deps): Monorepo bundled package; phantom-dep heuristic unreliable for bundled outputs.	ai	2026/05/04
phantom-deps	phantom-dep:aws-sdk	AI (phantom-deps): Config-referenced; expected in Budibase worker for cloud integrations.	ai	2026/05/04
phantom-deps	phantom-dep:bcryptjs	AI (phantom-deps): Auth utility; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:koa-send	AI (phantom-deps): Koa middleware; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:koa-static	AI (phantom-deps): Koa middleware; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:koa-passport	AI (phantom-deps): Koa auth middleware; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:passport-local	AI (phantom-deps): Passport strategy; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:server-destroy	AI (phantom-deps): Server utility; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:pouchdb-all-dbs	AI (phantom-deps): PouchDB plugin; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:passport-google-oauth	AI (phantom-deps): Passport strategy; config-referenced in monorepo build.	ai	2026/05/04
phantom-deps	phantom-dep:@techpass/passport-openidconnect	AI (phantom-deps): OIDC strategy; config-referenced in monorepo build.	ai	2026/05/04
publish-pattern	dormant-publish	AI (publish-pattern): Active Budibase monorepo package with 3070+ versions; dormancy flag is a false positive for this high-frequency publisher.	ai	2026/05/01
dependencies	unvetted-dep:scim2-parse-filter	AI (dependencies): Long-standing dep in this package; no advisory; stable across versions.	ai	2026/04/30
dependencies	unvetted-dep:scim-patch	AI (dependencies): Long-standing dep in this package; no advisory; stable across versions.	ai	2026/04/30
dependencies	unvetted-dep:@types/global-agent	AI (dependencies): Type-only dev-adjacent dep; no risk; stable across versions.	ai	2026/04/30
dependencies	unvetted-dep:bull	AI (dependencies): Long-standing dep in this package; no advisory; stable across versions.	ai	2026/04/30
dependencies	unvetted-dep:koa-redis	AI (dependencies): Long-standing dep in this package; no advisory; stable across versions.	ai	2026/04/30
license	copyleft-license:GPL-3.0	AI (license): GPL-3.0 is the intentional license for the Budibase project.	ai	2026/04/30
provenance	no-provenance	AI (provenance): Budibase monorepo does not publish Sigstore provenance; consistent across all versions.	ai	2026/04/30
phantom-deps	phantom-dep:bull	AI (phantom-deps): Referenced in config files per phantom-dep finding; consistent with queue worker pattern in this monorepo.	ai	2026/04/29
phantom-deps	phantom-dep:pouchdb	AI (phantom-deps): Config-file reference; consistent with Budibase's CouchDB/PouchDB usage.	ai	2026/04/29
phantom-deps	phantom-dep:isolated-vm	AI (phantom-deps): Config-file reference; expected for sandboxed JS execution in worker.	ai	2026/04/29
phantom-deps	phantom-dep:@types/global-agent	AI (phantom-deps): Framework-scoped types package; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:knex	AI (phantom-deps): Config-file reference only; standard DB dependency pattern for this package.	ai	2026/04/29
phantom-deps	phantom-dep:bcrypt	AI (phantom-deps): Config-file reference; expected for auth/worker service.	ai	2026/04/29

Versions (showing 51 of 246)

View all versions

Version	Deps	Published
3.37.2	34 / 15	2026-04-30
3.37.1	34 / 15	2026-04-29
3.37.0	34 / 15	2026-04-28
3.36.5	34 / 15	2026-04-27
3.36.4	33 / 15	2026-04-27
3.36.3	33 / 15	2026-04-24
3.36.2	33 / 15	2026-04-23
3.36.1	33 / 15	2026-04-22
3.35.10	33 / 15	2026-04-21
3.35.3	33 / 15	2026-04-08
3.35.2	33 / 15	2026-04-02
3.35.1	33 / 15	2026-04-01
3.35.0	33 / 15	2026-03-31
3.34.11	33 / 15	2026-03-26
3.34.10	33 / 15	2026-03-26
3.34.9	33 / 15	2026-03-25
3.34.8	33 / 15	2026-03-25
3.34.7	33 / 15	2026-03-25
3.34.6	33 / 15	2026-03-23
3.34.5	33 / 15	2026-03-23
3.34.4	43 / 16	2026-03-20
3.34.3	43 / 16	2026-03-19
3.34.2	43 / 16	2026-03-18
3.34.1	43 / 16	2026-03-16
3.34.0	43 / 16	2026-03-16
3.33.5	43 / 16	2026-03-13
3.33.4	43 / 16	2026-03-13
3.33.3	43 / 16	2026-03-12
3.33.2	43 / 16	2026-03-12
3.33.1	43 / 16	2026-03-11
3.33.0	43 / 16	2026-03-11
3.32.6	43 / 16	2026-03-11
3.32.5	43 / 16	2026-03-11
3.32.4	43 / 16	2026-03-10
3.32.3	43 / 16	2026-03-06
3.32.2	43 / 16	2026-03-06
3.32.1	43 / 16	2026-03-06
3.32.0	43 / 16	2026-03-06
3.31.9	43 / 16	2026-03-05
3.31.8	43 / 16	2026-03-05
3.31.7	43 / 16	2026-03-05
3.31.6	43 / 16	2026-03-05
3.31.5	43 / 16	2026-03-03
3.31.4	43 / 16	2026-02-27
3.31.3	33 / 15	2026-02-27
3.31.2	43 / 16	2026-02-26
3.31.1	43 / 16	2026-02-26
3.31.0	43 / 16	2026-02-25
3.30.6	43 / 16	2026-02-24
3.30.5	43 / 16	2026-02-21
3.30.4	43 / 16	2026-02-21

v3.37.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.35.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.35.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.34.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.34.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.33.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.32.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.31.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.30.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.30.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.30.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.