@contrail/documents
Documents library for contrail platform
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Publisher is a known maintainer; missing gitHead reflects CI environment change, not malicious activity. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers share the -vibeiq org suffix; consistent with internal team rotation, not external takeover. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal paired with same-org additions; consistent with routine team handoff. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): reflect-metadata is a well-known implicit runtime dep for TypeScript decorators; stable false positive for this package. | ai |
Versions (showing 51 of 66)
| Version | Deps | Published |
|---|---|---|
| 1.5.6 | 5 / 9 | |
| 1.5.5 | 5 / 9 | |
| 1.5.4 | 5 / 9 | |
| 1.5.3 | 5 / 9 | |
| 1.5.2 | 5 / 9 | |
| 1.5.1 | 6 / 8 | |
| 1.5.0 | 6 / 8 | |
| 1.4.2 | 6 / 8 | |
| 1.4.0 | 6 / 8 | |
| 1.3.29 | 5 / 8 | |
| 1.3.27 | 5 / 8 | |
| 1.3.26 | 5 / 8 | |
| 1.3.25 | 5 / 8 | |
| 1.3.24 | 5 / 8 | |
| 1.3.21 | 5 / 8 | |
| 1.3.20 | 5 / 8 | |
| 1.3.19 | 5 / 8 | |
| 1.3.18 | 5 / 8 | |
| 1.3.17 | 5 / 8 | |
| 1.3.16 | 5 / 8 | |
| 1.3.15 | 5 / 8 | |
| 1.3.14 | 5 / 8 | |
| 1.3.13 | 5 / 8 | |
| 1.3.12 | 5 / 8 | |
| 1.3.11 | 5 / 8 | |
| 1.3.10 | 5 / 8 | |
| 1.3.9 | 5 / 8 | |
| 1.3.8 | 5 / 8 | |
| 1.3.7 | 5 / 8 | |
| 1.3.6 | 5 / 8 | |
| 1.3.5 | 5 / 8 | |
| 1.3.4 | 5 / 8 | |
| 1.3.3 | 5 / 8 | |
| 1.3.2 | 5 / 8 | |
| 1.3.0 | 5 / 8 | |
| 1.2.8 | 5 / 8 | |
| 1.2.7 | 5 / 8 | |
| 1.2.6 | 5 / 8 | |
| 1.2.5 | 5 / 8 | |
| 1.2.4 | 5 / 8 | |
| 1.2.3 | 5 / 8 | |
| 1.2.2 | 5 / 8 | |
| 1.2.1 | 5 / 8 | |
| 1.2.0 | 5 / 8 | |
| 1.1.25 | 5 / 8 | |
| 1.1.24 | 5 / 8 | |
| 1.1.23 | 5 / 8 | |
| 1.1.22 | 5 / 8 | |
| 1.1.21 | 5 / 8 | |
| 1.1.20 | 5 / 8 | |
| 1.1.19 | 5 / 8 |
v1.5.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: adamvibeiq.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (adamvibeiq) than the most recent previously approved version (mazairaj) on 2026-04-22, but adamvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.5.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (cfvibeiq) than the most recent previously approved version (mazairaj) on 2026-04-21, but cfvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.5.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: adamvibeiq.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (adamvibeiq) than the most recent previously approved version (mazairaj) on 2026-04-08, but adamvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: adamvibeiq.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (adamvibeiq) than the most recent previously approved version (mazairaj) on 2026-04-01, but adamvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.27
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2026-03-19, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.26
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2026-03-18, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.25
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (mazairaj) than the most recent previously approved version (zileeva) on 2026-02-16, but mazairaj is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.24
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (mazairaj) than the most recent previously approved version (zileeva) on 2026-01-27, but mazairaj is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.21
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (mazairaj) than the most recent previously approved version (zileeva) on 2026-01-26, but mazairaj is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.20
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (mazairaj) than the most recent previously approved version (zileeva) on 2026-02-16, but mazairaj is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.18
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (cfvibeiq) than the most recent previously approved version (zileeva) on 2025-11-14, but cfvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.17
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (cfvibeiq) than the most recent previously approved version (zileeva) on 2025-11-05, but cfvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-10-07, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-10-05, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-10-05, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-10-05, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-10-01, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (mazairaj) on 2025-09-28, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (btosadoprater) on 2025-09-28, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-09-18, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (btosadoprater) than the most recent previously approved version (zileeva) on 2025-09-15, but btosadoprater is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.7
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (cfvibeiq) than the most recent previously approved version (zileeva) on 2025-08-25, but cfvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.2.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-08-20, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.2.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-08-20, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.25
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-08-19, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.23
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-08-11, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.22
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (zileeva) than the most recent previously approved version (cfvibeiq) on 2025-08-11, but zileeva is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.1.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.19
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (cfvibeiq) than the most recent previously approved version (mazairaj) on 2025-08-03, but cfvibeiq is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.