@elizaos/plugin-bootstrap
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
shawticusshakkernerdwtfsayoodilitimecjft
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:bun | AI (phantom-deps): bun is used as a build/test runtime in scripts, not imported directly. This is the expected usage pattern for bun as a toolchain dependency. | ai | |
| phantom-deps | phantom-dep:@elizaos/plugin-sql | AI (phantom-deps): Same-org scoped dependency; declared as a runtime dep for plugin composition rather than direct import. Normal pattern for ElizaOS plugin ecosystem. | ai | |
| dependencies | unvetted-dep:@elizaos/core | AI (dependencies): Sibling monorepo package pinned to the same version; standard pattern for @elizaos monorepo plugins. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse metadata is typical for monorepo-published plugin packages in the @elizaos ecosystem; not indicative of spam or malice. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Missing description is common in @elizaos monorepo plugin packages; not a meaningful risk signal here. | ai |
v1.7.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.9
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.