@cerbos/hub — Greenflagged

Client library for interacting with Cerbos Hub from server-side Node.js applications

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

alexolivierahaines

Keywords

CerbosCerbos Hubauthorizationaccess controlrolespermissionspolicysecurityrole-based access controlRBACattribute-based access controlABACpolicy decision pointPDP

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:lib/protobuf/cerbos/cloud/store/v1/store_pb.js	AI (source-diff): Base64 protobuf file descriptor passed to fileDesc(); standard @bufbuild/protobuf codegen pattern.	ai	2026/05/20
source-diff	encoded-string-file:src/protobuf/cerbos/cloud/apikey/v1/apikey_pb.ts	AI (source-diff): Base64-encoded protobuf file descriptor passed to fileDesc(); standard @bufbuild/protobuf pattern, not obfuscation.	ai	2026/05/18
source-diff	encoded-string-file:src/protobuf/cerbos/cloud/auth/v1/auth_pb.ts	AI (source-diff): Base64-encoded protobuf file descriptor; same benign @bufbuild/protobuf pattern.	ai	2026/05/18
source-diff	encoded-string-file:src/protobuf/cerbos/cloud/store/v1/store_pb.ts	AI (source-diff): Base64-encoded protobuf file descriptor; same benign @bufbuild/protobuf pattern.	ai	2026/05/18
source-diff	encoded-string-file:src/protobuf/buf/validate/validate_pb.ts	AI (source-diff): Base64-encoded protobuf file descriptor; same benign @bufbuild/protobuf pattern.	ai	2026/05/18
source-diff	encoded-string-file:lib/protobuf/cerbos/cloud/apikey/v1/apikey_pb.js	AI (source-diff): Base64 protobuf file descriptor generated by @bufbuild/protobuf toolchain; stable pattern across all versions of this package.	ai	2026/05/04
typosquat	typosquat.levenshtein:yup	AI (typosquat): Scoped @cerbos/hub is a legitimate Cerbos SDK package; Levenshtein match to 'yup' is a false positive.	ai	2026/04/29

Versions (showing 16 of 16)

Version	Deps	Published
0.5.6	5 / 0	2026-05-06
0.5.5	5 / 0	2026-05-01
0.5.4	5 / 0	2026-04-28
0.5.3	5 / 0	2026-04-27
0.5.2	5 / 0	2026-02-04
0.5.1	6 / 1	2026-01-12
0.5.0	6 / 1	2026-01-07
0.4.0	6 / 1	2025-12-15
0.3.0	5 / 1	2025-12-12
0.2.4	5 / 1	2025-11-20
0.2.3	5 / 1	2025-11-12
0.2.2	5 / 1	2025-11-07
0.2.1	6 / 1	2025-10-14
0.2.0	6 / 1	2025-09-15
0.1.1	6 / 1	2025-08-11
0.1.0	6 / 1	2025-07-02

v0.5.6

5 findings

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/apikey/v1/apikey_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/auth/v1/auth_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/store/v1/store_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/buf/validate/validate_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.2

2 findings

HIGH Long encoded string in modified file: lib/protobuf/cerbos/cloud/apikey/v1/apikey_pb.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.1

2 findings

HIGH Long encoded string in modified file: lib/protobuf/cerbos/cloud/apikey/v1/apikey_pb.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

2 findings

HIGH Long encoded string in modified file: lib/protobuf/cerbos/cloud/apikey/v1/apikey_pb.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

6 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (cerbosdev) were replaced by new maintainers (alexolivier, ahaines). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: cerbosdev → GitHub Actions (on 2025-10-14) provenance

This version was published by a different npm account than previous versions on 2025-10-14. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Long encoded string in modified file: lib/protobuf/cerbos/cloud/store/v1/store_pb.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/apikey/v1/apikey_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/store/v1/store_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

4 findings

HIGH Long encoded string in modified file: lib/protobuf/cerbos/cloud/store/v1/store_pb.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/apikey/v1/apikey_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: src/protobuf/cerbos/cloud/store/v1/store_pb.ts source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.