@equinor/fusion-framework-cli-plugin-ai-index

AI indexing plugin for Fusion Framework CLI providing document embedding and chunking utilities

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

eslsamartinforre_odin_gustav-eikaas

Keywords

fusion-frameworkclipluginllmaiindexembeddings

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@azure/search-documents	AI (dependencies): Well-known Microsoft Azure SDK; stable false positive for this package.	ai	2026/05/26
dependencies	unvetted-dep:@equinor/fusion-imports	AI (dependencies): Same Equinor org scope as this package; expected internal dependency.	ai	2026/05/26
dependencies	unvetted-dep:@equinor/fusion-framework-module	AI (dependencies): Same Equinor org scope as this package; expected internal dependency.	ai	2026/05/26
provenance	no-provenance	AI (provenance): Equinor fusion-framework monorepo; provenance absence is common and no other risk signals present.	ai	2026/04/30
phantom-deps	phantom-dep:tree-sitter	AI (phantom-deps): tree-sitter is a native binding loaded by convention/config, not directly imported in JS source.	ai	2026/04/29
phantom-deps	phantom-dep:@equinor/fusion-framework-module	AI (phantom-deps): Same org scope; stable false positive for this package family.	ai	2026/04/29
phantom-deps	phantom-dep:tree-sitter-typescript	AI (phantom-deps): Grammar package loaded at runtime by tree-sitter, not directly imported.	ai	2026/04/29
phantom-deps	phantom-dep:@azure/search-documents	AI (phantom-deps): Framework-scoped usage; loaded by convention per analyzer note.	ai	2026/04/29
phantom-deps	phantom-dep:@equinor/fusion-imports	AI (phantom-deps): Same org scope; stable false positive for this package family.	ai	2026/04/29

Versions (showing 15 of 15)

Version	Deps	Published
3.0.4	19 / 3	2026-06-03
3.0.3	19 / 3	2026-05-18
3.0.2	19 / 3	2026-05-07
3.0.1	19 / 3	2026-04-29
3.0.0	19 / 3	2026-04-29
2.1.0	19 / 3	2026-04-27
2.0.1	19 / 3	2026-04-22
2.0.0	19 / 3	2026-03-19
1.0.6	18 / 2	2026-03-09
1.0.5	18 / 2	2026-02-05
1.0.4	18 / 2	2026-01-28
1.0.3	18 / 2	2026-01-26
1.0.2	18 / 2	2026-01-20
1.0.1	18 / 2	2026-01-14
1.0.0	17 / 2	2026-01-07

v3.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.