@c8y/devkit
Cumulocity Webpack Build Facade
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:zip-dir | AI (dependencies): Legitimate build utility for this webpack facade; stable across versions. | ai | |
| dependencies | unvetted-dep:JSONPath | AI (dependencies): Standard JSON querying library used in build tooling; no risk signal. | ai | |
| dependencies | unvetted-dep:babel-plugin-angularjs-annotate | AI (dependencies): Known Babel plugin for AngularJS DI annotation; consistent with this package's purpose. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions CI; provenance attestation absence is common for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-optional-chaining | AI (phantom-deps): Framework-scoped babel plugin; loaded by convention. | ai | |
| phantom-deps | phantom-dep:file-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:html-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-eslint | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:imports-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| npm-metadata | url-dep:angular-gettext-tools | AI (npm-metadata): Git URL is pinned to a specific commit SHA, not a mutable branch; risk is low and stable across versions. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:@babel/eslint-parser | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:webpack-dev-middleware | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:webpack-hot-middleware | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:@babel/helper-plugin-utils | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:babel-plugin-angularjs-annotate | AI (phantom-deps): Referenced in config files; stable false positive for this build facade. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-dynamic-import | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:postcss-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Build facade; webpack/babel tools loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader referenced in config files, not direct import — expected pattern. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped babel tooling loaded by convention in build facade. | ai |
Versions (showing 87 of 193)
v1023.14.139
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.138
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.136
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.135
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.132
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.131
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.130
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.128
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.127
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.122
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.118
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.114
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.113
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.112
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.111
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.104
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.103
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.102
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.100
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.98
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.97
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.96
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.94
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.92
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.76
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.70
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.68
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.60
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.57
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.51
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.47
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.44
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.41
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.38
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.37
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.36
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.33
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.8
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.12.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.10.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.9.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.7.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.7.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.6.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.5.3
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.4.6
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.4.5
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.4.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.0.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.0.0
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1022.46.1
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1022.45.2
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.164
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.163
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.162
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.161
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.160
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.159
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.158
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.157
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.156
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.155
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.154
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.153
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.151
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.150
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.149
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.146
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.145
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.144
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.141
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.140
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.139
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.138
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.137
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.136
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.135
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.134
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.133
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.131
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.130
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.129
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.128
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.127
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.126
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.124
2 findingsDependency 'angular-gettext-tools' in `dependencies` points to 'git+https://github.com/rubenv/angular-gettext-tools.git#5a20d5fe2ad768bfd0cac18259b4986346061eda' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.