← Home

@deephaven/app-utils

npm Repository Homepage

Deephaven App Utils

11
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

vbabichmofojedmikebenderniloc132jnumainvilledeephaven-botbinglesmattrunyon

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@fontsource/fira-sans AI (dependencies): Well-known Fontsource font package; stable dependency for a UI library. ai
provenance publisher-changed AI (provenance): Transition from deephaven-bot to GitHub Actions CI/CD is a legitimate pipeline change, backed by SLSA provenance attestation. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy aligns with CI/CD migration; SLSA attestation confirms legitimate automated publish. ai
publish-pattern new-deps-added AI (publish-pattern): lodash.merge is a well-known utility; consistent with existing lodash.debounce/throttle deps in this package. ai
dependencies unvetted-dep:@deephaven/redux AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/utils AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/console AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/storage AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/components AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/jsapi-types AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/jsapi-utils AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/auth-plugins AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/file-explorer AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/jsapi-bootstrap AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/jsapi-components AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@paciolan/remote-component AI (dependencies): Known third-party remote component loader; pinned version, no advisory signals. ai
dependencies unvetted-dep:@paciolan/remote-module-loader AI (dependencies): Known third-party remote module loader; no advisory signals. ai
dependencies unvetted-dep:@deephaven/react-hooks AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/log AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/chart AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
dependencies unvetted-dep:@deephaven/icons AI (dependencies): First-party @deephaven monorepo sibling; stable false positive for this package. ai
provenance slsa-provenance AI (provenance): Deephaven CI/CD pipeline consistently publishes with SLSA provenance; stable for this package. ai

Versions (showing 11 of 11)

Version Deps Published
1.21.1 27 / 1
1.21.0 27 / 1
1.20.0 27 / 1
1.18.0 27 / 1
1.17.1 27 / 1
1.10.0 27 / 1
1.3.0 29 / 5
0.85.46 28 / 4
0.85.44 28 / 4
0.85.39 28 / 4
0.85.37 28 / 4

v1.21.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.21.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.20.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.18.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.1

2 findings
HIGH Publisher changed: deephaven-bot → GitHub Actions (on 2026-04-01) provenance

This version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.10.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.85.46

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.85.44

2 findings
HIGH Publisher changed: deephaven-bot → GitHub Actions (on 2026-03-30) provenance

This version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.85.39

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.85.37

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.