← Home

@cedarjs/internal

npm Repository Homepage
11
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tobbe

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Common for npm packages; not a blocker for established monorepo. ai
phantom-deps phantom-dep:core-js AI (phantom-deps): Runtime polyfill; stable implicit dependency for this package. ai
phantom-deps phantom-dep:@babel/runtime-corejs3 AI (phantom-deps): Babel runtime; framework-scoped, loaded by convention. ai
npm-metadata no-description AI (npm-metadata): Internal monorepo package; missing description is expected. ai
dependencies unvetted-dep:@sdl-codegen/node AI (dependencies): Legitimate SDL codegen tooling consistent with this package's GraphQL code generation purpose. ai
dependencies unvetted-dep:@graphql-codegen/typescript-react-apollo AI (dependencies): Standard graphql-codegen plugin; consistent with this package's codegen toolchain. ai
phantom-deps phantom-dep:@babel/plugin-transform-react-jsx AI (phantom-deps): Framework-scoped Babel plugin loaded by convention, not direct import. ai
phantom-deps phantom-dep:@babel/plugin-transform-typescript AI (phantom-deps): Framework-scoped Babel plugin loaded by convention, not direct import. ai
phantom-deps phantom-dep:rimraf AI (phantom-deps): Used in build scripts, not runtime imports; stable false positive for this build-tool package. ai
phantom-deps phantom-dep:@graphql-codegen/typescript-react-apollo AI (phantom-deps): Codegen plugin referenced by config; stable false positive. ai
bogus-package bogus-package AI (bogus-package): Internal framework package; sparse README and no keywords are expected for monorepo sub-packages. ai
phantom-deps phantom-dep:@graphql-codegen/typed-document-node AI (phantom-deps): Codegen plugin referenced by config, not direct import; stable false positive. ai
phantom-deps phantom-dep:ts-node AI (phantom-deps): Referenced in config/tooling context, not a runtime import. ai
phantom-deps phantom-dep:deepmerge AI (phantom-deps): Declared dep used via config convention; stable false positive. ai
phantom-deps phantom-dep:systeminformation AI (phantom-deps): Declared dep; phantom-dep heuristic misfires on this framework package. ai
phantom-deps phantom-dep:@graphql-tools/documents AI (phantom-deps): Declared dep; used indirectly via codegen pipeline. ai
phantom-deps phantom-dep:string-env-interpolation AI (phantom-deps): Declared dep; stable false positive for this package. ai

Versions (showing 11 of 11)

Version Deps Published
4.1.0 42 / 7
4.0.0 40 / 7
3.1.1 37 / 7
3.0.0 37 / 7
2.5.0 38 / 7
2.2.1 38 / 7
2.1.0 39 / 8
2.0.3 39 / 8
2.0.2 39 / 8
1.1.0 39 / 8
1.0.0 39 / 8

v4.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.