@eclipse-che/che-e2e
## Requirements
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 used to read SSH key files for e2e test automation; not obfuscation or payload hiding. | ai | |
| phantom-deps | phantom-dep:@eclipse-che/api | AI (phantom-deps): Same-org dependency declared but used indirectly; stable false positive for this package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 7.118.0 | 4 / 41 | |
| 7.117.0 | 4 / 41 | |
| 7.116.0 | 4 / 41 | |
| 7.115.0 | 4 / 41 | |
| 7.114.0 | 4 / 41 | |
| 7.113.0 | 4 / 41 | |
| 7.112.0 | 4 / 41 | |
| 7.111.0 | 4 / 41 | |
| 7.110.0 | 4 / 41 | |
| 7.109.0 | 4 / 41 | |
| 7.108.0 | 4 / 41 | |
| 7.107.1 | 4 / 41 | |
| 7.107.0 | 4 / 41 | |
| 7.106.1 | 4 / 41 | |
| 7.106.0 | 4 / 41 | |
| 7.105.0 | 4 / 41 | |
| 7.104.0 | 4 / 41 | |
| 7.103.0 | 4 / 41 |
v7.118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.117.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.116.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.115.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.114.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.113.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.112.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.111.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.110.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.109.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.108.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.107.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.107.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.106.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.106.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.105.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.104.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.103.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.