← Home

@eventuras/fides-auth

npm Repository Homepage

Framework-agnostic OAuth/OIDC authentication library with PKCE, session management, and pluggable logging

8
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

losolio

Keywords

oauthoidcopenid-connectauthenticationpkcesessionjwtidentityvipps

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): SLSA provenance attestation present; missing gitHead is a minor CI artifact, not a supply chain risk for this package. ai
phantom-deps phantom-dep:jose AI (phantom-deps): jose is a declared runtime dep for JWT handling; phantom-dep heuristic misses indirect/config-level usage in this auth library. ai

Versions (showing 8 of 8)

Version Deps Published
0.8.0 2 / 5
0.7.1 2 / 5
0.7.0 2 / 5
0.6.0 2 / 5
0.5.0 2 / 5
0.4.0 2 / 5
0.3.1 2 / 5
0.3.0 2 / 4

v0.8.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.