@cubejs-backend/server
Cube.js all-in-one server
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@cubejs-backend/dotenv | AI (dependencies): Same-org scoped fork of dotenv; stable dependency pattern across Cube.js monorepo versions. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation and no material changes vs prior version mitigate account-takeover concern for this established monorepo package. | ai | |
| phantom-deps | phantom-dep:@oclif/config | AI (phantom-deps): oclif config loaded via manifest/plugin system, not direct import; stable FP. | ai | |
| phantom-deps | phantom-dep:codesandbox-import-utils | AI (phantom-deps): Likely used indirectly via server-core or dynamic require; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/cubestore-driver | AI (phantom-deps): Same-org dep loaded dynamically; stable FP for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@oclif/plugin-help | AI (phantom-deps): Declared as oclif plugin in package.json oclif.plugins; loaded by framework, not direct import. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): Used via oclif CLI/config indirection, not direct import; stable FP for this package. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Legitimate Cube.js monorepo package; not a typosquat of semver — Levenshtein match is coincidental. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Cube.js ecosystem package; sparse README is a documentation issue, not a spam/bogus signal. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 1.6.55 | 19 / 13 | |
| 1.6.54 | 19 / 13 | |
| 1.6.53 | 19 / 13 | |
| 1.6.52 | 19 / 13 | |
| 1.6.51 | 19 / 13 | |
| 1.6.50 | 19 / 13 | |
| 1.6.49 | 19 / 13 | |
| 1.6.48 | 19 / 13 | |
| 1.6.47 | 19 / 13 | |
| 1.6.46 | 19 / 13 | |
| 1.6.45 | 19 / 13 | |
| 1.6.44 | 19 / 13 | |
| 1.6.43 | 19 / 13 | |
| 1.6.0 | 19 / 13 | |
| 1.5.10 | 19 / 13 | |
| 1.5.4 | 19 / 13 | |
| 1.5.2 | 19 / 13 | |
| 1.3.85 | 19 / 13 | |
| 1.3.84 | 19 / 13 | |
| 1.3.83 | 19 / 13 |
v1.6.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.53
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.43
2 findingsPackage name '@cubejs-backend/server' is 1 edit(s) away from popular package 'semver'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.85
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.83
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.