@copilotkit/runtime-client-gql

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

copilotkit

Keywords

aiassistantautomationcopilotcopilotkitjavascriptnextjsnodejsreacttextarea

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; legitimate for this org.	ai	2026/05/30
provenance	no-provenance	AI (provenance): CopilotKit monorepo consistently publishes without Sigstore provenance; stable false positive for this package.	ai	2026/04/29

Versions (showing 35 of 35)

Version	Deps	Published
1.59.4	4 / 17	2026-06-04
1.59.3	4 / 17	2026-06-03
1.59.2	4 / 17	2026-05-30
1.59.1	4 / 17	2026-05-29
1.59.0	4 / 17	2026-05-29
1.58.0	4 / 17	2026-05-26
1.57.4	4 / 17	2026-05-21
1.57.3	4 / 17	2026-05-19
1.57.2	4 / 17	2026-05-19
1.57.1	4 / 17	2026-05-07
1.57.0	4 / 17	2026-05-05
1.56.5	4 / 17	2026-04-30
1.56.4	4 / 17	2026-04-27
1.56.3	4 / 17	2026-04-22
1.56.2	4 / 17	2026-04-16
1.56.1	4 / 17	2026-04-16
1.56.0	4 / 17	2026-04-15
1.55.3	4 / 17	2026-04-11
1.55.2	4 / 17	2026-04-10
1.55.1	4 / 17	2026-04-09
1.55.0	4 / 17	2026-04-09
1.54.1	4 / 17	2026-03-26
1.54.0	4 / 17	2026-03-12
1.53.0	4 / 17	2026-03-05
1.52.1	5 / 17	2026-02-27
1.52.0	5 / 17	2026-02-26
1.9.3	4 / 19	2025-07-17
1.9.2	4 / 19	2025-07-14
1.9.1	4 / 19	2025-06-17
1.9.0	4 / 19	2025-06-13
1.8.14	4 / 19	2025-06-06
1.8.13	4 / 19	2025-05-21
1.8.12	4 / 19	2025-05-15
1.8.11	4 / 19	2025-05-08
1.8.10	4 / 19	2025-05-06

v1.59.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.59.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.59.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.59.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.59.0

2 findings

HIGH Publisher changed: copilotkit → GitHub Actions (on 2026-05-29) provenance

This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.58.0

2 findings

HIGH Publisher changed: copilotkit → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.57.4

2 findings

HIGH Publisher changed: copilotkit → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.