@cubejs-backend/native
Native module for Cube.js (binding to Rust codebase)
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): High-volume package (558 versions) with SLSA provenance; CI/CD publishing pattern is consistent with the project's release cadence. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/shared | AI (phantom-deps): Same-org peer dep; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@cubejs-infra/post-installer | AI (dependencies): First-party Cube infra tooling used consistently across versions for prebuilt binary installation. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher is confirmed legitimate by SLSA/Sigstore attestation on the cube-js org pipeline. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Fetches prebuilt Rust native binaries from GitHub releases; documented pattern for this package. | ai | |
| phantom-deps | phantom-dep:@cubejs-infra/post-installer | AI (phantom-deps): Referenced in resources config for binary fetching, not a direct JS import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/cubesql | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic false positive for this native binding package. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 1.6.50 | 3 / 9 | |
| 1.6.49 | 3 / 9 | |
| 1.6.46 | 3 / 9 | |
| 1.6.44 | 3 / 9 | |
| 1.6.43 | 3 / 9 | |
| 1.6.41 | 3 / 9 | |
| 1.6.38 | 3 / 9 | |
| 1.6.33 | 3 / 9 | |
| 1.6.23 | 3 / 9 | |
| 1.6.18 | 3 / 9 | |
| 1.6.17 | 3 / 9 | |
| 1.6.9 | 3 / 9 | |
| 1.6.8 | 3 / 9 | |
| 1.6.2 | 3 / 9 | |
| 1.6.1 | 3 / 9 | |
| 1.5.16 | 3 / 9 | |
| 1.5.12 | 3 / 9 | |
| 1.5.11 | 3 / 9 | |
| 1.5.10 | 3 / 9 | |
| 1.5.9 | 3 / 9 | |
| 1.5.7 | 3 / 9 | |
| 1.5.5 | 3 / 9 | |
| 1.5.4 | 3 / 9 | |
| 1.5.3 | 3 / 9 | |
| 1.5.2 | 3 / 9 | |
| 1.4.1 | 3 / 9 | |
| 1.0.13 | 3 / 8 |
v1.6.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.43
2 findingsScript: post-installer || echo 'Your system is not supported by @cubejs-backend/native, some feature will be unavailable.'
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.41
2 findingsThis version was published by a different npm account than previous versions on 2026-05-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.38
2 findingsThis version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.33
2 findingsThis version was published by a different npm account than previous versions on 2026-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.