@finos/legend-extension-store-relational
Legend extension for Relational store
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:serializr | AI (dependencies): serializr is a well-known serialization library; stable dependency for this package across versions. | ai | |
| provenance | no-provenance | AI (provenance): Established FINOS org package; lack of provenance is common and not a risk indicator here. | ai | |
| phantom-deps | phantom-dep:serializr | AI (phantom-deps): Config-file reference in monorepo; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:mobx-react-lite | AI (phantom-deps): Monorepo config reference; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@finos/legend-art | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable here. | ai | |
| phantom-deps | phantom-dep:mobx | AI (phantom-deps): Monorepo peer/config reference pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@finos/legend-shared | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-storage | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-application | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-application-studio | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-graph | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Declared as peerDependency; phantom-dep heuristic fires incorrectly for peer deps. | ai |
Versions (showing 51 of 162)
| Version | Deps | Published |
|---|---|---|
| 0.0.541 | 11 / 9 | |
| 0.0.540 | 11 / 9 | |
| 0.0.539 | 11 / 9 | |
| 0.0.538 | 11 / 9 | |
| 0.0.537 | 11 / 9 | |
| 0.0.536 | 11 / 9 | |
| 0.0.535 | 11 / 9 | |
| 0.0.534 | 11 / 9 | |
| 0.0.533 | 11 / 9 | |
| 0.0.532 | 11 / 9 | |
| 0.0.531 | 11 / 9 | |
| 0.0.530 | 11 / 9 | |
| 0.0.529 | 11 / 9 | |
| 0.0.528 | 11 / 9 | |
| 0.0.527 | 11 / 9 | |
| 0.0.526 | 11 / 9 | |
| 0.0.525 | 11 / 9 | |
| 0.0.524 | 11 / 9 | |
| 0.0.523 | 11 / 9 | |
| 0.0.522 | 11 / 9 | |
| 0.0.521 | 11 / 9 | |
| 0.0.520 | 11 / 9 | |
| 0.0.519 | 11 / 9 | |
| 0.0.518 | 11 / 9 | |
| 0.0.517 | 11 / 9 | |
| 0.0.516 | 11 / 9 | |
| 0.0.515 | 11 / 9 | |
| 0.0.514 | 11 / 9 | |
| 0.0.513 | 11 / 9 | |
| 0.0.512 | 11 / 9 | |
| 0.0.511 | 11 / 9 | |
| 0.0.510 | 11 / 9 | |
| 0.0.509 | 11 / 9 | |
| 0.0.508 | 11 / 9 | |
| 0.0.507 | 11 / 9 | |
| 0.0.506 | 11 / 9 | |
| 0.0.505 | 11 / 9 | |
| 0.0.504 | 11 / 9 | |
| 0.0.502 | 11 / 9 | |
| 0.0.501 | 11 / 9 | |
| 0.0.500 | 11 / 9 | |
| 0.0.499 | 11 / 9 | |
| 0.0.498 | 11 / 9 | |
| 0.0.497 | 11 / 9 | |
| 0.0.496 | 11 / 9 | |
| 0.0.495 | 11 / 9 | |
| 0.0.494 | 11 / 9 | |
| 0.0.493 | 11 / 9 | |
| 0.0.492 | 11 / 9 | |
| 0.0.491 | 11 / 9 | |
| 0.0.490 | 11 / 9 |
v0.0.541
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.540
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.539
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.538
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.537
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.536
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.535
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.534
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.533
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.532
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.531
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.530
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.529
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.528
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.526
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.525
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.524
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.523
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.522
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.521
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.520
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.519
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.518
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.517
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.516
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.515
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.514
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.513
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.512
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.511
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.510
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.509
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.508
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.507
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.506
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.505
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.504
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.502
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.501
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.500
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.499
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.498
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.497
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.496
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.495
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.494
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.493
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.492
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.491
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.490
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.