← Home

@copilotkit/runtime

npm Repository Homepage
18
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

copilotkit

Keywords

aiassistantautomationcopilotcopilotkitjavascriptnextjsnodejsreacttanstack-intenttextarea

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@segment/analytics-node AI (phantom-deps): Analytics dep conditionally loaded; stable for this package. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): Declared dep used transitively/conditionally; stable for this package. ai
semgrep semgrep:env-spread AI (semgrep): Fires in test file only; saving/restoring process.env for test isolation. ai
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publishing with SLSA provenance; stable for this package. ai
phantom-deps phantom-dep:ip AI (phantom-deps): ip is a declared runtime dep used indirectly via framework conventions; stable FP for this package. ai
phantom-deps phantom-dep:@types/ip AI (phantom-deps): Type-only package, framework-scoped; stable FP for this package. ai
phantom-deps phantom-dep:@ag-ui/core AI (phantom-deps): Declared in both dependencies and peerDependencies; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:express AI (phantom-deps): express is a declared runtime dep used as a peer/optional integration; phantom-dep heuristic fires on config-only references. ai
phantom-deps phantom-dep:@ag-ui/proto AI (phantom-deps): Declared in both dependencies and peerDependencies; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:@ag-ui/encoder AI (phantom-deps): Declared in both dependencies and peerDependencies; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:ws AI (phantom-deps): Large runtime package; ws is a transitive/peer dep used indirectly — stable false positive. ai
phantom-deps phantom-dep:@graphql-yoga/plugin-defer-stream AI (phantom-deps): Used in GraphQL yoga integration; heuristic false positive for this package. ai
phantom-deps phantom-dep:partial-json AI (phantom-deps): Declared dep in a bundled runtime; heuristic false positive for this package. ai
phantom-deps phantom-dep:@hono/node-server AI (phantom-deps): Used in optional v2/hono export path; heuristic false positive for this package. ai
phantom-deps phantom-dep:@scarf/scarf AI (phantom-deps): Scarf analytics loaded via config/postinstall hooks, not direct import; stable false positive. ai
phantom-deps phantom-dep:class-validator AI (phantom-deps): Used with type-graphql/class-transformer ecosystem; heuristic false positive. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get used for typed dynamic property access in agent config iteration; standard TypeScript pattern, not obfuscation. ai
semgrep semgrep:etc-passwd-access AI (semgrep): Fires on a test file string literal simulating an error message, not actual /etc/passwd access. ai

Versions (showing 18 of 18)

Version Deps Published
1.59.3 40 / 21
1.57.2 40 / 20
1.56.4 40 / 20
1.55.3 40 / 20
1.55.0 40 / 19
1.54.1 26 / 11
1.51.0 17 / 18
1.50.1 23 / 15
1.10.6 26 / 16
1.10.5 31 / 16
1.10.4 31 / 16
1.10.1 31 / 16
1.9.3 33 / 16
1.9.1 30 / 16
1.9.0 30 / 16
1.8.14 28 / 16
1.8.13 28 / 16
1.8.12 28 / 16

v1.59.3

2 findings
HIGH Publisher changed: copilotkit → GitHub Actions (on 2026-06-03) provenance

This version was published by a different npm account than previous versions on 2026-06-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.57.2

2 findings
HIGH env-spread: src/lib/__tests__/telemetry-disclosure.test.ts:17 semgrep

Spreading entire process.env into an object — may capture all secrets 15 | 16 | let consoleInfoSpy: MockInstance<typeof console.info>; > 17 | const originalEnv = { ...process.env }; 18 | 19 | beforeEach(() => {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.55.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.55.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.54.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.51.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.50.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.