@cubejs-backend/cloud
Cube Cloud package
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@cubejs-backend/dotenv | AI (dependencies): Scoped sibling package within the same Cube.js org; stable internal dependency across versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal monorepo package; sparse README and no keywords are expected for org-internal packages. | ai | |
| phantom-deps | phantom-dep:env-var | AI (phantom-deps): env-var is declared in dependencies; phantom-dep heuristic fires but it is a legitimate runtime dep. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 1.6.55 | 8 / 7 | |
| 1.6.54 | 8 / 7 | |
| 1.6.53 | 8 / 7 | |
| 1.6.52 | 8 / 7 | |
| 1.6.51 | 8 / 7 | |
| 1.6.50 | 8 / 7 | |
| 1.6.49 | 8 / 7 | |
| 1.6.48 | 8 / 7 | |
| 1.6.47 | 8 / 7 | |
| 1.6.46 | 8 / 7 | |
| 1.6.45 | 8 / 7 | |
| 1.6.44 | 8 / 7 | |
| 1.6.43 | 8 / 7 | |
| 1.6.32 | 8 / 7 | |
| 1.5.8 | 8 / 7 | |
| 1.5.4 | 8 / 7 | |
| 1.5.2 | 8 / 7 | |
| 1.4.1 | 8 / 7 |
v1.6.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.53
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.