@flarehr/promoted-benefits-admin
Salpac FinOps Admin
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:preact | AI (phantom-deps): Runtime dep consumed via bundled output, not direct import; stable pattern for this Preact-based package. | ai | |
| phantom-deps | phantom-dep:@emotion/css | AI (phantom-deps): Emotion deps used via twin.macro/babel config; not directly imported in source. | ai | |
| phantom-deps | phantom-dep:framer-motion | AI (phantom-deps): Runtime dep bundled into dist; phantom-dep is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:@emotion/cache | AI (phantom-deps): Emotion peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@emotion/react | AI (phantom-deps): Emotion peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@emotion/styled | AI (phantom-deps): Emotion peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-hook-form | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@heroicons/react | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-router-dom | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@headlessui/react | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:preact-custom-element | AI (phantom-deps): Runtime dep bundled into dist; stable false positive for this package. | ai |
Versions (showing 29 of 429)
| Version | Deps | Published |
|---|---|---|
| 1.3.28675 | 12 / 26 | |
| 1.3.28576 | 12 / 26 | |
| 1.3.28514 | 12 / 26 | |
| 1.3.28453 | 12 / 26 | |
| 1.3.28341 | 12 / 26 | |
| 1.3.28181 | 12 / 26 | |
| 1.3.28022 | 12 / 26 | |
| 1.3.27922 | 12 / 26 | |
| 1.3.27788 | 12 / 26 | |
| 1.3.27738 | 12 / 26 | |
| 1.3.27667 | 12 / 26 | |
| 1.3.27581 | 12 / 26 | |
| 1.3.27446 | 12 / 26 | |
| 1.3.27321 | 12 / 26 | |
| 1.3.27213 | 12 / 26 | |
| 1.3.27101 | 12 / 26 | |
| 1.3.27034 | 12 / 26 | |
| 1.3.26967 | 12 / 26 | |
| 1.3.26877 | 12 / 26 | |
| 1.3.26760 | 12 / 26 | |
| 1.3.26628 | 12 / 26 | |
| 1.3.26510 | 12 / 26 | |
| 0.4.56851 | 12 / 26 | |
| 0.4.10472 | 12 / 26 | |
| 0.4.8753 | 12 / 26 | |
| 0.4.3838 | 12 / 26 | |
| 0.4.2206 | 12 / 26 | |
| 0.4.2174 | 12 / 26 | |
| 0.4.1855 | 12 / 26 |
v1.3.28675
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28576
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28514
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28453
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28341
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28181
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.28022
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27922
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27788
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27738
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27667
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27581
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27446
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27321
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27213
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27101
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.27034
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26967
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26877
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26760
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26628
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26510
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.56851
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.10472
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.8753
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3838
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2206
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2174
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1855
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.