← Home

@digitransit-component/digitransit-component

npm Repository Homepage

a JavaScript library for Digitransit

15
Versions
(AGPL-3.0 OR EUPL-1.2)
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

digitransit

Keywords

digitransit-component

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publishing is confirmed by SLSA Sigstore attestation; stable pattern for this package going forward. ai
license copyleft-license:AGPL-3.0 AI (license): Intentional dual-license choice; stable for this package. ai
license copyleft-license:EUPL-1.2 AI (license): Intentional dual-license choice; stable for this package. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-favourite-bar AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-favourite-modal AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-icon AI (dependencies): Internal sibling package from same HSLdevcom monorepo; not a third-party risk. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-with-breakpoint AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-favourite-editing-modal AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-suggestion-item AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-autosuggest AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai
dependencies unvetted-dep:@digitransit-component/digitransit-component-control-panel AI (dependencies): Internal sibling package from same HSLdevcom monorepo. ai

Versions (showing 15 of 15)

Version Deps Published
5.0.14 9 / 0
5.0.12 9 / 0
5.0.11 9 / 0
5.0.10 9 / 0
5.0.9 9 / 0
5.0.8 9 / 0
5.0.7 9 / 0
5.0.6 9 / 0
5.0.5 9 / 0
5.0.4 9 / 0
5.0.2 9 / 0
5.0.1 9 / 0
5.0.0 9 / 0
4.0.2 9 / 0
4.0.1 9 / 0

v5.0.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

2 findings
HIGH Publisher changed: digitransit → GitHub Actions (on 2025-12-03) provenance

This version was published by a different npm account than previous versions on 2025-12-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.