@c8y/devkit
Cumulocity Webpack Build Facade
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:zip-dir | AI (dependencies): Legitimate build utility for this webpack facade; stable across versions. | ai | |
| dependencies | unvetted-dep:JSONPath | AI (dependencies): Standard JSON querying library used in build tooling; no risk signal. | ai | |
| dependencies | unvetted-dep:babel-plugin-angularjs-annotate | AI (dependencies): Known Babel plugin for AngularJS DI annotation; consistent with this package's purpose. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions CI; provenance attestation absence is common for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-optional-chaining | AI (phantom-deps): Framework-scoped babel plugin; loaded by convention. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:html-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-eslint | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:imports-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| npm-metadata | url-dep:angular-gettext-tools | AI (npm-metadata): Git URL is pinned to a specific commit SHA, not a mutable branch; risk is low and stable across versions. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:@babel/eslint-parser | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:webpack-dev-middleware | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:webpack-hot-middleware | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:@babel/helper-plugin-utils | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:babel-plugin-angularjs-annotate | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-dynamic-import | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Build facade; webpack/babel tools loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai |
Versions (showing 100 of 187)
v1023.83.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.83.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.83.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.4
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.82.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.81.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.81.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.80.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.80.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.79.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.7
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.5
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.4
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.77.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.75.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.71.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.70.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.7
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.6
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.67.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.66.4
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.66.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.65.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.65.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.64.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.63.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.63.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.62.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.61.12
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.61.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.61.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.59.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.58.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.57.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.55.5
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.53.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.52.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.50.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.48.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.48.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.48.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.47.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.47.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.47.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.43.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.43.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.42.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.37.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.30.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.28.5
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.26.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.25.6
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.25.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.14
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.11
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.7
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.6
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.5
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.22.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.20
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.19
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.16
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.13
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.11
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.8
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.6
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.17.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.16.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.15.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.171
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.168
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.167
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.165
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.162
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.161
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.160
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.159
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.157
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.156
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.154
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.153
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.152
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.150
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.148
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.146
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.145
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.144
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.143
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.142
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.141
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.