@cubejs-backend/schema-compiler
Cube schema compiler
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): antlr4ts is the TypeScript ANTLR4 runtime, directly referenced in the generate script for grammar compilation. | ai | |
| dependencies | unvetted-dep:antlr4ts | AI (dependencies): antlr4ts is the standard TypeScript ANTLR4 runtime; its use is consistent with the grammar generation toolchain in this package. | ai | |
| provenance | publisher-changed | AI (provenance): Cube.js migrated to GitHub Actions CI/CD publishing; SLSA attestation confirms legitimate automated release pipeline. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived monorepo package; dormancy reflects release cadence, not account takeover. SLSA provenance confirms legitimate CI publish. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped babel package loaded by convention in this schema compiler; stable false positive. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; link-dump README and no keywords are expected for internal packages. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Framework-scoped babel package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/standalone | AI (phantom-deps): Framework-scoped babel package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:humps | AI (phantom-deps): humps is a runtime dep used transitively in this monorepo package; stable false positive. | ai |
Versions (showing 11 of 116)
| Version | Deps | Published |
|---|---|---|
| 1.3.62 | 25 / 24 | |
| 1.3.61 | 25 / 24 | |
| 1.3.60 | 25 / 24 | |
| 1.3.59 | 25 / 24 | |
| 1.3.58 | 25 / 24 | |
| 1.3.57 | 25 / 24 | |
| 1.3.13 | 25 / 24 | |
| 1.3.12 | 25 / 24 | |
| 1.3.11 | 25 / 24 | |
| 1.0.14 | 24 / 26 | |
| 1.0.13 | 24 / 26 |
v1.3.62
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.61
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.60
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.59
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.58
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.57
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.14
2 findingsThis version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.13
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.