@esome-dev/sunsage
sunsage - Power Plant Monitoring
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@things-factory/more-ui | AI (phantom-deps): Config-referenced plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-legend | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-switch | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@things-factory/system | AI (phantom-deps): Config-referenced plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@esome-dev/eaas-entity | AI (phantom-deps): Same-org dep referenced via config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-form | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-clock | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-gauge | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-random | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-chartjs | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-news-ticker | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-progressbar | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-data-transform | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-half-roundrect | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-tab | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-grist | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-table | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@operato/scene-timer | AI (phantom-deps): Config-referenced scene plugin; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with public GitHub repo; lack of Sigstore attestation is common for this ecosystem. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 encode+decode is used for Excel blob download, not payload obfuscation. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 in a development config file — not a network exfiltration endpoint. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 1.2.117 | 35 / 1 | |
| 1.2.114 | 35 / 1 | |
| 1.2.110 | 35 / 1 | |
| 1.2.89 | 35 / 1 | |
| 1.2.87 | 35 / 1 | |
| 1.2.86 | 35 / 1 | |
| 1.2.84 | 35 / 1 | |
| 1.2.83 | 35 / 1 | |
| 1.2.79 | 35 / 1 | |
| 1.2.64 | 35 / 1 | |
| 1.2.56 | 35 / 1 |
v1.2.117
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.114
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.110
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.89
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.87
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.86
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.83
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.79
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.64
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.56
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.