@budibase/worker
Budibase background service
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@govtechsg/passport-openidconnect | AI (dependencies): GovTech SG OIDC passport strategy replacing @techpass/passport-openidconnect; routine upstream rename. | ai | |
| phantom-deps | phantom-dep:@govtechsg/passport-openidconnect | AI (phantom-deps): Bundled service; config-file reference pattern is expected. | ai | |
| dependencies | unvetted-dep:passport-google-oauth | AI (dependencies): Well-known Passport.js OAuth strategy; expected auth dependency for this package. | ai | |
| dependencies | unvetted-dep:pouchdb-all-dbs | AI (dependencies): Standard PouchDB plugin used in Budibase's DB layer; consistent across versions. | ai | |
| dependencies | unvetted-dep:@techpass/passport-openidconnect | AI (dependencies): OIDC passport strategy used for SSO; consistent with Budibase's auth features. | ai | |
| phantom-deps | phantom-dep:undici | AI (phantom-deps): Monorepo bundled package; phantom-dep heuristic unreliable for bundled outputs. | ai | |
| phantom-deps | phantom-dep:aws-sdk | AI (phantom-deps): Config-referenced; expected in Budibase worker for cloud integrations. | ai | |
| phantom-deps | phantom-dep:bcryptjs | AI (phantom-deps): Auth utility; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:koa-send | AI (phantom-deps): Koa middleware; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:koa-static | AI (phantom-deps): Koa middleware; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:koa-passport | AI (phantom-deps): Koa auth middleware; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:passport-local | AI (phantom-deps): Passport strategy; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:server-destroy | AI (phantom-deps): Server utility; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:pouchdb-all-dbs | AI (phantom-deps): PouchDB plugin; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:passport-google-oauth | AI (phantom-deps): Passport strategy; config-referenced in monorepo build. | ai | |
| phantom-deps | phantom-dep:@techpass/passport-openidconnect | AI (phantom-deps): OIDC strategy; config-referenced in monorepo build. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Active Budibase monorepo package with 3070+ versions; dormancy flag is a false positive for this high-frequency publisher. | ai | |
| dependencies | unvetted-dep:scim2-parse-filter | AI (dependencies): Long-standing dep in this package; no advisory; stable across versions. | ai | |
| dependencies | unvetted-dep:scim-patch | AI (dependencies): Long-standing dep in this package; no advisory; stable across versions. | ai | |
| dependencies | unvetted-dep:@types/global-agent | AI (dependencies): Type-only dev-adjacent dep; no risk; stable across versions. | ai | |
| dependencies | unvetted-dep:bull | AI (dependencies): Long-standing dep in this package; no advisory; stable across versions. | ai | |
| dependencies | unvetted-dep:koa-redis | AI (dependencies): Long-standing dep in this package; no advisory; stable across versions. | ai | |
| license | copyleft-license:GPL-3.0 | AI (license): GPL-3.0 is the intentional license for the Budibase project. | ai | |
| provenance | no-provenance | AI (provenance): Budibase monorepo does not publish Sigstore provenance; consistent across all versions. | ai | |
| phantom-deps | phantom-dep:bull | AI (phantom-deps): Referenced in config files per phantom-dep finding; consistent with queue worker pattern in this monorepo. | ai | |
| phantom-deps | phantom-dep:pouchdb | AI (phantom-deps): Config-file reference; consistent with Budibase's CouchDB/PouchDB usage. | ai | |
| phantom-deps | phantom-dep:isolated-vm | AI (phantom-deps): Config-file reference; expected for sandboxed JS execution in worker. | ai | |
| phantom-deps | phantom-dep:@types/global-agent | AI (phantom-deps): Framework-scoped types package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:knex | AI (phantom-deps): Config-file reference only; standard DB dependency pattern for this package. | ai | |
| phantom-deps | phantom-dep:bcrypt | AI (phantom-deps): Config-file reference; expected for auth/worker service. | ai |
Versions (showing 100 of 246)
| Version | Deps | Published |
|---|---|---|
| 3.37.2 | 34 / 15 | |
| 3.37.1 | 34 / 15 | |
| 3.37.0 | 34 / 15 | |
| 3.36.5 | 34 / 15 | |
| 3.36.4 | 33 / 15 | |
| 3.36.3 | 33 / 15 | |
| 3.36.2 | 33 / 15 | |
| 3.36.1 | 33 / 15 | |
| 3.35.10 | 33 / 15 | |
| 3.35.3 | 33 / 15 | |
| 3.35.2 | 33 / 15 | |
| 3.35.1 | 33 / 15 | |
| 3.35.0 | 33 / 15 | |
| 3.34.11 | 33 / 15 | |
| 3.34.10 | 33 / 15 | |
| 3.34.9 | 33 / 15 | |
| 3.34.8 | 33 / 15 | |
| 3.34.7 | 33 / 15 | |
| 3.34.6 | 33 / 15 | |
| 3.34.5 | 33 / 15 | |
| 3.34.4 | 43 / 16 | |
| 3.34.3 | 43 / 16 | |
| 3.34.2 | 43 / 16 | |
| 3.34.1 | 43 / 16 | |
| 3.34.0 | 43 / 16 | |
| 3.33.5 | 43 / 16 | |
| 3.33.4 | 43 / 16 | |
| 3.33.3 | 43 / 16 | |
| 3.33.2 | 43 / 16 | |
| 3.33.1 | 43 / 16 | |
| 3.33.0 | 43 / 16 | |
| 3.32.6 | 43 / 16 | |
| 3.32.5 | 43 / 16 | |
| 3.32.4 | 43 / 16 | |
| 3.32.3 | 43 / 16 | |
| 3.32.2 | 43 / 16 | |
| 3.32.1 | 43 / 16 | |
| 3.32.0 | 43 / 16 | |
| 3.31.9 | 43 / 16 | |
| 3.31.8 | 43 / 16 | |
| 3.31.7 | 43 / 16 | |
| 3.31.6 | 43 / 16 | |
| 3.31.5 | 43 / 16 | |
| 3.31.4 | 43 / 16 | |
| 3.31.3 | 33 / 15 | |
| 3.31.2 | 43 / 16 | |
| 3.31.1 | 43 / 16 | |
| 3.31.0 | 43 / 16 | |
| 3.30.6 | 43 / 16 | |
| 3.30.5 | 43 / 16 | |
| 3.30.4 | 43 / 16 | |
| 3.30.3 | 43 / 16 | |
| 3.30.2 | 43 / 16 | |
| 3.30.1 | 43 / 16 | |
| 3.30.0 | 43 / 16 | |
| 3.29.0 | 43 / 16 | |
| 3.28.3 | 41 / 16 | |
| 3.28.2 | 41 / 16 | |
| 3.28.1 | 41 / 16 | |
| 3.28.0 | 41 / 16 | |
| 3.27.5 | 41 / 16 | |
| 3.27.4 | 41 / 16 | |
| 3.27.3 | 41 / 16 | |
| 3.27.2 | 41 / 16 | |
| 3.27.1 | 41 / 16 | |
| 3.27.0 | 41 / 16 | |
| 3.26.3 | 41 / 17 | |
| 3.26.2 | 41 / 16 | |
| 3.26.1 | 41 / 17 | |
| 3.26.0 | 41 / 17 | |
| 3.25.4 | 41 / 17 | |
| 3.25.3 | 41 / 17 | |
| 3.25.2 | 41 / 17 | |
| 3.25.1 | 41 / 17 | |
| 3.25.0 | 41 / 17 | |
| 3.24.8 | 41 / 17 | |
| 3.24.7 | 41 / 17 | |
| 3.24.6 | 41 / 17 | |
| 3.24.5 | 42 / 17 | |
| 3.24.4 | 42 / 17 | |
| 3.24.3 | 42 / 17 | |
| 3.24.2 | 42 / 17 | |
| 3.24.1 | 42 / 17 | |
| 3.24.0 | 42 / 17 | |
| 3.23.48 | 42 / 17 | |
| 3.23.47 | 42 / 17 | |
| 3.23.38 | 42 / 17 | |
| 3.23.37 | 42 / 17 | |
| 3.23.36 | 42 / 17 | |
| 3.23.35 | 42 / 17 | |
| 3.23.34 | 42 / 17 | |
| 3.23.33 | 42 / 17 | |
| 3.23.32 | 42 / 17 | |
| 3.23.31 | 42 / 17 | |
| 3.23.30 | 42 / 17 | |
| 3.23.29 | 42 / 17 | |
| 3.23.28 | 42 / 17 | |
| 3.23.27 | 42 / 17 | |
| 3.23.26 | 42 / 17 | |
| 3.23.25 | 42 / 17 |
v3.37.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.35.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.35.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.34.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.27.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.