@chat-adapter/state-memory

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

matt.strakavercel-release-botcramforce

Keywords

chatchat-sdkstatestate-adaptermemoryin-memorydevelopmenttesting

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Vercel migrated publishing to GitHub Actions CI with SLSA attestation; stable pattern for this org's packages.	ai	2026/05/01
maintainer-change	maintainer-added	AI (maintainer-change): vercel-release-bot and matt.straka are Vercel org accounts; consistent with org-level CI automation transition.	ai	2026/05/01
provenance	no-provenance	AI (provenance): Vercel/chat monorepo package published by a long-standing, high-trust publisher; lack of Sigstore provenance is common and not a risk indicator here.	ai	2026/04/25

Versions (showing 45 of 45)

Version	Deps	Published
4.30.0	1 / 4	2026-06-02
4.29.0	1 / 4	2026-05-18
4.28.1	1 / 4	2026-05-08
4.27.0	1 / 4	2026-04-30
4.26.0	1 / 4	2026-04-14
4.25.0	1 / 4	2026-04-11
4.24.0	1 / 4	2026-04-07
4.23.0	1 / 4	2026-03-26
4.22.0	1 / 4	2026-03-24
4.21.0	1 / 4	2026-03-23
4.20.2	1 / 4	2026-03-16
4.20.1	1 / 4	2026-03-12
4.20.0	1 / 4	2026-03-11
4.19.0	1 / 4	2026-03-10
4.18.0	1 / 4	2026-03-07
4.17.0	1 / 4	2026-03-06
4.16.1	1 / 4	2026-03-04
4.16.0	1 / 4	2026-03-04
4.15.0	1 / 4	2026-02-26
4.14.0	1 / 4	2026-02-24
4.13.4	1 / 4	2026-02-24
4.13.3	1 / 4	2026-02-23
4.13.2	1 / 4	2026-02-23
4.13.1	1 / 4	2026-02-20
4.13.0	1 / 4	2026-02-20
4.12.0	1 / 4	2026-02-18
4.11.0	1 / 4	2026-02-16
4.10.1	1 / 4	2026-02-15
4.10.0	1 / 4	2026-02-15
4.9.1	1 / 4	2026-02-12
4.9.0	1 / 4	2026-02-10
4.8.0	1 / 4	2026-02-06
4.7.2	1 / 4	2026-02-06
4.7.1	1 / 4	2026-01-24
4.7.0	1 / 4	2026-01-23
4.6.0	1 / 4	2026-01-21
4.5.0	1 / 4	2026-01-21
4.4.1	1 / 4	2026-01-21
4.4.0	1 / 4	2026-01-20
4.3.0	1 / 4	2026-01-05
4.2.0	1 / 4	2026-01-03
4.1.0	1 / 4	2026-01-03
4.0.2	1 / 4	2026-01-02
4.0.1	1 / 4	2026-01-02
4.0.0	1 / 4	2026-01-02

v4.30.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.29.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.28.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.27.0

2 findings

HIGH Publisher changed: cramforce → GitHub Actions (on 2026-04-30) provenance

This version was published by a different npm account than previous versions on 2026-04-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.26.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.25.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.24.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.23.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.