@cubejs-backend/testing
Cube.js e2e tests
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Cube.js monorepo with SLSA provenance; CI/CD publisher consistent with org's release pattern. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): Standard proxy utility used in Cube.js testing infra; stable dependency across versions. | ai | |
| dependencies | unvetted-dep:@cubejs-backend/dotenv | AI (dependencies): Same org scope (@cubejs-backend); internal fork of dotenv used across the monorepo. | ai | |
| provenance | no-provenance | AI (provenance): Large established monorepo; provenance not yet adopted across all packages. | ai | |
| phantom-deps | phantom-dep:dedent | AI (phantom-deps): Testing utility; config-file reference pattern is stable false positive. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): Testing utility; config-file reference pattern is stable false positive. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/dotenv | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal testing package in a large monorepo; minimal README and no keywords are expected. | ai | |
| phantom-deps | phantom-dep:@cubejs-client/ws-transport | AI (phantom-deps): Testing utility; config-file reference pattern is stable false positive. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/schema-compiler | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/cubestore-driver | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@cubejs-backend/query-orchestrator | AI (phantom-deps): Same-org monorepo dep; stable false positive for this package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 1.6.55 | 16 / 21 | |
| 1.6.54 | 16 / 21 | |
| 1.6.53 | 16 / 21 | |
| 1.6.52 | 16 / 21 | |
| 1.6.51 | 16 / 21 | |
| 1.6.50 | 16 / 21 | |
| 1.6.49 | 16 / 21 | |
| 1.6.48 | 16 / 21 | |
| 1.6.47 | 16 / 21 | |
| 1.6.44 | 16 / 21 | |
| 1.6.43 | 16 / 21 | |
| 1.6.12 | 16 / 21 | |
| 1.5.11 | 16 / 21 | |
| 1.5.7 | 16 / 21 | |
| 1.5.2 | 16 / 21 | |
| 1.3.37 | 16 / 21 | |
| 1.3.26 | 16 / 21 | |
| 1.3.25 | 16 / 21 |
v1.6.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.53
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.