@dword-design/base
8
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
dword-design
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by CI-attested publish with no material changes; consistent with a tooling/workflow migration rather than account takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Package now publishes via GitHub Actions CI with SLSA attestation; this is a documented CI migration pattern for this org. | ai | |
| dependencies | unvetted-dep:parse-git-config | AI (dependencies): Aliased to @dword-design/parse-git-config — same org as this package; author consistently uses their own forks. No malicious signals. | ai | |
| dependencies | unvetted-dep:spdx-expression-parse | AI (dependencies): spdx-expression-parse is a well-known, widely-used SPDX parsing library with no known security issues. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@commitlint/cli | AI (phantom-deps): commitlint CLI is referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:semantic-release | AI (phantom-deps): semantic-release is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@semantic-release/git | AI (phantom-deps): semantic-release plugin referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@semantic-release/changelog | AI (phantom-deps): semantic-release plugin referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:cz-conventional-changelog | AI (phantom-deps): commitizen adapter referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@commitlint/config-conventional | AI (phantom-deps): commitlint config referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI/CD with SLSA provenance attestation; stable positive signal for this package. | ai | |
| phantom-deps | phantom-dep:@dword-design/eslint-config | AI (phantom-deps): Author's own eslint config, same org scope, referenced in config files. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@dword-design/base-config-node | AI (phantom-deps): Author's own base config package, same org scope, referenced in config. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:c8 | AI (phantom-deps): c8 is a coverage CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): tsx is a TypeScript runner referenced in scripts/config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:is-ci | AI (phantom-deps): is-ci is referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:vue-tsc | AI (phantom-deps): vue-tsc is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@dword-design/ci | AI (phantom-deps): Author's own CI package, same org scope, referenced in config. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): eslint is a CLI tool referenced in generated config files, not directly imported. Expected pattern for a project scaffolding base package. | ai | |
| phantom-deps | phantom-dep:husky | AI (phantom-deps): husky is a git-hooks tool invoked via CLI/config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:commitizen | AI (phantom-deps): commitizen is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 16.2.6 | 55 / 10 | |
| 16.2.5 | 55 / 10 | |
| 16.0.7 | 54 / 10 | |
| 16.0.5 | 54 / 10 | |
| 16.0.0 | 54 / 10 | |
| 15.5.3 | 54 / 10 | |
| 15.5.2 | 54 / 10 | |
| 15.4.2 | 54 / 9 |
v16.2.6
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.2.5
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.7
2 findings
HIGH
Publisher changed: dword-design → GitHub Actions (on 2025-11-23)
provenance
This version was published by a different npm account than previous versions on 2025-11-23. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.