@c8y/hybrid — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

c8y

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Published via GitHub Actions; org-wide pattern of no Sigstore attestation.	ai	2026/05/27
dependencies	unvetted-dep:angular	AI (dependencies): @c8y/hybrid is an Angular/AngularJS hybrid package; angular 1.8.3 is an expected and intentional dependency.	ai	2026/05/27
npm-metadata	no-description	AI (npm-metadata): Consistent across @c8y/* packages; not indicative of malice.	ai	2026/05/27
bogus-package	bogus-package	AI (bogus-package): Established @c8y org package with 456 versions; sparse metadata is a consistent pattern across the org, not a spam indicator.	ai	2026/05/26
phantom-deps	phantom-dep:@angular/cdk	AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:rxjs	AI (phantom-deps): Framework package; rxjs is a peer/transitive dep loaded by convention, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:ngx-bootstrap	AI (phantom-deps): Referenced in config files; loaded by convention in this platform package.	ai	2026/04/29
phantom-deps	phantom-dep:monaco-editor	AI (phantom-deps): Referenced in config files; loaded by convention in this platform package.	ai	2026/04/29
phantom-deps	phantom-dep:angular	AI (phantom-deps): AngularJS loaded by convention in hybrid Angular/AngularJS setup.	ai	2026/04/29
phantom-deps	phantom-dep:@c8y/style	AI (phantom-deps): Same-org sibling dep; referenced in config, not direct import — expected pattern.	ai	2026/04/29
phantom-deps	phantom-dep:@c8y/client	AI (phantom-deps): Same-org sibling dep; referenced in config, not direct import — expected pattern.	ai	2026/04/29

Versions (showing 5 of 5)

Version	Deps	Published
1023.80.0	11 / 2	2026-05-11
1023.76.0	11 / 2	2026-04-27
1023.14.152	11 / 2	2026-05-06
1023.14.132	11 / 2	2026-03-29
1021.22.161	11 / 2	2026-05-11

v1023.80.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1023.14.152

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1023.14.132

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1021.22.161

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.