← Home

@elliemae/pui-service-sdk

npm Repository

SDK for creating NodeJS MicroServices

4
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

encw.dev

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@types/cors AI (phantom-deps): @types/* packages are convention-loaded TypeScript definitions, not directly imported. ai
phantom-deps phantom-dep:@types/express AI (phantom-deps): @types/* packages are convention-loaded TypeScript definitions, not directly imported. ai
phantom-deps phantom-dep:@types/compression AI (phantom-deps): @types/* packages are convention-loaded TypeScript definitions, not directly imported. ai
phantom-deps phantom-dep:@types/hpp AI (phantom-deps): @types/* packages are convention-loaded TypeScript definitions, not directly imported. ai
phantom-deps phantom-dep:@types/uuid AI (phantom-deps): @types/* packages are convention-loaded TypeScript definitions, not directly imported. ai
dependencies unvetted-dep:express-pino-logger AI (dependencies): express-pino-logger is a well-known pino logging middleware for Express; no advisory history. ai
dependencies unvetted-dep:hpp AI (dependencies): hpp is a known Express HTTP parameter pollution middleware; stable low-risk dep for this SDK. ai
phantom-deps phantom-dep:@prisma/client AI (phantom-deps): Prisma client declared for consumer use; stable false positive for this SDK. ai
phantom-deps phantom-dep:pg AI (phantom-deps): SDK declares pg as a runtime dep for consumers; config-referenced pattern is stable for this package. ai
phantom-deps phantom-dep:express-pino-logger AI (phantom-deps): Logging middleware declared for consumer use; stable false positive for this SDK. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): Validation dep used via config; stable false positive for this SDK. ai
phantom-deps phantom-dep:prisma AI (phantom-deps): ORM dep declared for consumer use; config-referenced pattern stable for this SDK. ai
phantom-deps phantom-dep:ajv-formats AI (phantom-deps): Companion to ajv; config-referenced pattern stable for this SDK. ai
phantom-deps phantom-dep:escape-html AI (phantom-deps): Utility dep declared for consumer use; stable false positive for this SDK. ai
phantom-deps phantom-dep:express-jwt AI (phantom-deps): Auth middleware declared for consumer use; stable false positive for this SDK. ai
phantom-deps phantom-dep:pino-pretty AI (phantom-deps): Logging dep declared for consumer use; stable false positive for this SDK. ai

Versions (showing 4 of 4)

Version Deps Published
4.8.0 22 / 12
4.7.4 22 / 12
4.7.2 27 / 7
4.6.0 27 / 7

v4.8.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.7.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.7.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.