@flakiness/report
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared runtime dependency in package.json; phantom-dep heuristic misfires here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal tooling package from Degu Labs; sparse metadata is consistent across 136 versions, not spam. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 0.147.0 | 3 / 0 | |
| 0.124.0 | 3 / 0 | |
| 0.123.0 | 3 / 0 | |
| 0.122.0 | 3 / 0 | |
| 0.121.11 | 3 / 0 | |
| 0.121.10 | 3 / 0 | |
| 0.121.9 | 3 / 0 | |
| 0.121.8 | 3 / 0 | |
| 0.121.7 | 3 / 0 | |
| 0.121.6 | 3 / 0 | |
| 0.121.5 | 3 / 0 | |
| 0.121.4 | 3 / 0 | |
| 0.121.3 | 3 / 0 | |
| 0.121.2 | 3 / 0 | |
| 0.121.1 | 3 / 0 | |
| 0.121.0 | 3 / 0 | |
| 0.120.1 | 3 / 0 | |
| 0.120.0 | 3 / 0 | |
| 0.119.0 | 3 / 0 | |
| 0.118.0 | 3 / 0 | |
| 0.116.0 | 2 / 0 | |
| 0.115.0 | 2 / 0 | |
| 0.114.0 | 2 / 0 | |
| 0.113.0 | 2 / 0 | |
| 0.112.0 | 2 / 0 | |
| 0.111.0 | 2 / 0 | |
| 0.110.0 | 2 / 0 | |
| 0.109.0 | 2 / 0 | |
| 0.108.0 | 2 / 0 | |
| 0.107.0 | 2 / 0 | |
| 0.106.0 | 2 / 0 | |
| 0.105.0 | 2 / 0 | |
| 0.104.0 | 2 / 0 | |
| 0.103.0 | 2 / 0 | |
| 0.102.0 | 2 / 0 | |
| 0.101.0 | 2 / 0 | |
| 0.100.0 | 2 / 0 | |
| 0.99.0 | 2 / 0 | |
| 0.98.0 | 2 / 0 | |
| 0.97.0 | 2 / 0 | |
| 0.96.0 | 2 / 0 | |
| 0.95.0 | 2 / 0 |
v0.147.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.124.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.123.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.122.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.121.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.121.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.121.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.121.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.121.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.120.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.120.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.119.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.118.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.116.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.115.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.114.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.113.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.112.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.111.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.110.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.109.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.108.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.107.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.106.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.105.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.104.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.103.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.102.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.101.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.100.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.99.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.98.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.97.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.96.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.95.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.