@diia-inhouse/i18n
Internationalization package
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:glob | AI (phantom-deps): glob is used in madge config for circular dependency detection; legitimate build-time dependency. | ai | |
| phantom-deps | phantom-dep:@types/i18n | AI (phantom-deps): TypeScript types package loaded by convention; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@diia-inhouse/diia-logger | AI (phantom-deps): Same-org scoped package used internally; stable dependency pattern. | ai | |
| provenance | no-provenance | AI (provenance): Diia packages consistently lack Sigstore provenance; this is a stable characteristic of the publisher, not a per-version risk. | ai | |
| dependencies | unvetted-dep:@types/i18n | AI (dependencies): @types/i18n is a DefinitelyTyped type definition package; stable, well-known, no security concern for this i18n package. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE.md | AI (license): Standard SPDX expression for a custom license file; Diia is a well-known Ukrainian government open-source project. Stable across versions. | ai | |
| dependencies | unvetted-dep:i18next-fs-backend | AI (dependencies): i18next-fs-backend is the standard filesystem backend plugin for i18next; legitimate and expected dependency for an i18n package. | ai | |
| dependencies | unvetted-dep:@diia-inhouse/diia-logger | AI (dependencies): Same-org sibling package from the Diia open-source project; expected internal dependency. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 3.1.9 | 9 / 21 | |
| 3.1.8 | 9 / 21 | |
| 3.1.7 | 9 / 21 | |
| 3.1.6 | 9 / 21 | |
| 3.1.5 | 9 / 21 | |
| 3.1.4 | 9 / 21 | |
| 3.1.3 | 9 / 21 | |
| 3.1.2 | 9 / 21 | |
| 3.1.1 | 9 / 21 | |
| 3.1.0 | 9 / 21 | |
| 2.8.24 | 9 / 16 | |
| 2.8.23 | 9 / 16 | |
| 2.8.20 | 9 / 16 | |
| 2.8.19 | 9 / 16 | |
| 2.8.18 | 9 / 16 | |
| 2.8.17 | 9 / 16 | |
| 2.8.16 | 9 / 16 | |
| 2.8.15 | 9 / 16 | |
| 2.8.14 | 9 / 16 | |
| 2.8.13 | 9 / 16 | |
| 2.8.12 | 9 / 16 | |
| 2.8.11 | 9 / 16 | |
| 2.8.10 | 9 / 16 | |
| 2.8.9 | 9 / 16 | |
| 2.8.8 | 9 / 16 | |
| 2.8.7 | 9 / 16 | |
| 2.8.6 | 9 / 16 | |
| 2.8.5 | 9 / 16 | |
| 2.8.4 | 9 / 16 | |
| 2.8.2 | 9 / 16 |
v3.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.