@certd/lib-server
midway with flyway, sql upgrade way
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/user/addon/service/addon-service.js | AI (source-diff): File is standard tsc-compiled TypeScript with decorator helpers; long lines are generated boilerplate, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@certd/acme-client | AI (phantom-deps): Same-org scoped dependency; likely used indirectly or via config; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:mwtsc | AI (dependencies): mwtsc is the official Midway.js TypeScript compiler wrapper; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@midwayjs/logger | AI (dependencies): Official @midwayjs scoped package; stable false positive for this Midway-based package. | ai | |
| dependencies | unvetted-dep:@midwayjs/cache | AI (dependencies): Official @midwayjs scoped package; stable false positive for this Midway-based package. | ai | |
| dependencies | unvetted-dep:mwts | AI (dependencies): mwts is the official Midway.js TypeScript style tool; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 151 versions; no provenance is consistent with its publish history. | ai | |
| phantom-deps | phantom-dep:@midwayjs/upload | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:mwts | AI (phantom-deps): mwts is a build/lint tool referenced in scripts, not a runtime import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): TypeORM driver loaded dynamically by config, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@midwayjs/validate | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:mwtsc | AI (phantom-deps): mwtsc is a build tool referenced in scripts, not a runtime import; stable false positive. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): cross-env is a script runner utility, not a runtime import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@midwayjs/cache | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive for midway-based packages. | ai | |
| phantom-deps | phantom-dep:@midwayjs/logger | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive for midway-based packages. | ai | |
| phantom-deps | phantom-dep:@midwayjs/i18n | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@midwayjs/info | AI (phantom-deps): Framework plugin loaded via DI config, not direct import; stable false positive. | ai |
Versions (showing 51 of 98)
| Version | Deps | Published |
|---|---|---|
| 1.41.1 | 20 / 17 | |
| 1.41.0 | 20 / 17 | |
| 1.40.5 | 20 / 17 | |
| 1.40.4 | 20 / 17 | |
| 1.40.3 | 20 / 17 | |
| 1.40.2 | 20 / 17 | |
| 1.40.1 | 20 / 17 | |
| 1.40.0 | 20 / 17 | |
| 1.39.16 | 20 / 17 | |
| 1.39.14 | 20 / 17 | |
| 1.39.13 | 20 / 17 | |
| 1.39.12 | 21 / 12 | |
| 1.39.11 | 21 / 12 | |
| 1.39.10 | 21 / 12 | |
| 1.39.9 | 21 / 12 | |
| 1.39.8 | 21 / 12 | |
| 1.39.7 | 21 / 12 | |
| 1.39.6 | 21 / 12 | |
| 1.39.5 | 21 / 12 | |
| 1.39.4 | 21 / 12 | |
| 1.39.3 | 21 / 12 | |
| 1.39.2 | 21 / 12 | |
| 1.39.1 | 21 / 12 | |
| 1.39.0 | 21 / 12 | |
| 1.38.12 | 21 / 12 | |
| 1.38.11 | 21 / 12 | |
| 1.38.10 | 21 / 12 | |
| 1.38.9 | 21 / 12 | |
| 1.38.8 | 21 / 12 | |
| 1.38.7 | 21 / 12 | |
| 1.38.6 | 21 / 12 | |
| 1.38.5 | 21 / 12 | |
| 1.38.4 | 21 / 12 | |
| 1.38.3 | 21 / 12 | |
| 1.38.2 | 21 / 12 | |
| 1.38.1 | 21 / 12 | |
| 1.38.0 | 21 / 12 | |
| 1.37.17 | 21 / 12 | |
| 1.37.16 | 21 / 12 | |
| 1.37.15 | 21 / 12 | |
| 1.37.14 | 21 / 12 | |
| 1.37.13 | 21 / 12 | |
| 1.37.12 | 21 / 12 | |
| 1.37.11 | 21 / 12 | |
| 1.37.10 | 21 / 12 | |
| 1.37.9 | 21 / 12 | |
| 1.37.8 | 21 / 12 | |
| 1.37.7 | 21 / 12 | |
| 1.37.6 | 21 / 12 | |
| 1.37.5 | 21 / 12 | |
| 1.37.4 | 21 / 12 |
v1.41.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.39.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.39.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.39.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.38.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.38.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.37.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.37.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.37.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.37.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.37.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.