← Home

@checkstack/notification-backend

npm
29
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

enyineer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@checkstack/automation-backend AI (dependencies): Same org scope (@checkstack); consistent with the package's internal ecosystem pattern once the dep itself is vetted. ai
publish-pattern new-deps-added AI (publish-pattern): @orpc/server is a legitimate RPC library; addition is consistent with this org's backend package evolution. ai
dependencies unvetted-dep:@orpc/server AI (dependencies): @orpc/server is a legitimate open-source RPC library; stable dependency for this package. ai
dependencies unvetted-dep:@checkstack/cache-utils AI (dependencies): Same-org @checkstack scoped package; consistent with the ecosystem pattern of this package. ai
dependencies unvetted-dep:@checkstack/cache-api AI (dependencies): Same-org @checkstack scoped package; consistent with the ecosystem pattern of this package. ai
dependencies unvetted-dep:@checkstack/auth-backend AI (dependencies): Monorepo workspace sibling; not an external supply-chain risk. ai
dependencies unvetted-dep:@checkstack/queue-api AI (dependencies): Monorepo workspace sibling; not an external supply-chain risk. ai
dependencies unvetted-dep:@checkstack/auth-common AI (dependencies): Monorepo workspace sibling; not an external supply-chain risk. ai
dependencies unvetted-dep:@checkstack/backend-api AI (dependencies): Monorepo workspace sibling; not an external supply-chain risk. ai
dependencies unvetted-dep:@checkstack/notification-common AI (dependencies): Monorepo workspace sibling; not an external supply-chain risk. ai
bogus-package bogus-package AI (bogus-package): Internal @checkstack org package; sparse metadata is consistent across the whole org's packages. ai
phantom-deps phantom-dep:@checkstack/queue-api AI (phantom-deps): Same-org scoped dep; phantom-dep heuristic unreliable for monorepo-style packages. ai
provenance no-provenance AI (provenance): No provenance across @checkstack org; not a malware signal here. ai
npm-metadata no-description AI (npm-metadata): Internal tooling package; missing description is stable across this org's packages. ai

Versions (showing 29 of 29)

Version Deps Published
1.4.2 13 / 7
1.3.0 12 / 7
1.2.0 12 / 7
1.1.0 12 / 7
1.0.5 12 / 7
1.0.4 12 / 7
1.0.3 12 / 7
1.0.2 12 / 7
1.0.1 12 / 7
1.0.0 12 / 7
0.2.1 12 / 6
0.2.0 12 / 6
0.1.23 10 / 6
0.1.21 10 / 6
0.1.20 10 / 6
0.1.16 10 / 6
0.1.13 9 / 8
0.1.8 9 / 8
0.1.7 9 / 8
0.1.6 9 / 8
0.1.5 9 / 8
0.1.4 9 / 8
0.1.3 9 / 8
0.1.2 9 / 8
0.1.1 9 / 8
0.1.0 9 / 8
0.0.4 9 / 8
0.0.3 9 / 8
0.0.2 9 / 8

v1.4.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.23

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.21

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.16

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: enyineer.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.