@chromatic-com/cypress — Greenflagged

Chromatic Visual Regression Testing for Cypress

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

katiebayesjmhobbstmeasdayndelangenstevenkittermanthafryertevanoffandrewortweinghengeveldpaulelliottcodykaupwinkervsbecksjustin-thurmanmcnuggies

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@chromaui/rrweb-snapshot	AI (dependencies): Chromatic's own fork of rrweb-snapshot; consistent with publisher identity and package purpose across all versions.	ai	2026/05/10
phantom-deps	phantom-dep:storybook	AI (phantom-deps): storybook is an intentional peer/runtime dep for this Storybook-integrated Cypress tool, not a phantom.	ai	2026/05/04
phantom-deps	phantom-dep:@storybook/csf	AI (phantom-deps): Storybook CSF is an intentional dependency for this Chromatic visual testing package.	ai	2026/05/04
phantom-deps	phantom-dep:@storybook/addon-essentials	AI (phantom-deps): Storybook addon-essentials is an intentional dependency for this Chromatic visual testing package.	ai	2026/05/04
typosquat	typosquat.levenshtein:express	AI (typosquat): Scoped @chromatic-com/cypress package from the legitimate Chromatic org; edit-distance match to 'express' is purely coincidental.	ai	2026/04/29
bogus-package	bogus-package	AI (bogus-package): Established Chromatic tooling package; README link dump signal is a false positive for a well-known testing integration.	ai	2026/04/29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.