@fluidframework/azure-end-to-end-tests
Azure client end to end tests
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@fluid-private/test-version-utils | AI (dependencies): Internal FluidFramework test utility; same org, same version pin, stable pattern. | ai | |
| dependencies | unvetted-dep:@fluidframework/azure-client-legacy | AI (dependencies): npm alias for @fluidframework/azure-client@^1.2.0; standard FluidFramework legacy-compat pattern. | ai | |
| dependencies | unvetted-dep:@fluidframework/map-legacy | AI (dependencies): npm alias for @fluidframework/map@^1.4.0; standard FluidFramework legacy-compat pattern across all versions. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Test package; axios used via config/scripts, not direct import. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@fluidframework/test-utils | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/core-interfaces | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/telemetry-utils | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluid-experimental/data-objects | AI (phantom-deps): Referenced in config files; stable false positive for this test package. | ai | |
| phantom-deps | phantom-dep:@fluid-internal/mocha-test-setup | AI (phantom-deps): Referenced in config files; stable false positive for this test package. | ai | |
| phantom-deps | phantom-dep:@fluidframework/container-loader | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluid-private/test-version-utils | AI (phantom-deps): Referenced in config files; stable false positive for this test package. | ai | |
| phantom-deps | phantom-dep:@fluidframework/test-runtime-utils | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/azure-client-legacy | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/map | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/tree | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/matrix | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/counter | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/aqueduct | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/presence | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/sequence | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/map-legacy | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluid-internal/client-utils | AI (phantom-deps): Referenced in config files; stable false positive for this test package. | ai | |
| phantom-deps | phantom-dep:@fluidframework/azure-client | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:@fluidframework/fluid-static | AI (phantom-deps): Test package loads FluidFramework deps via config; stable false positive across versions. | ai | |
| phantom-deps | phantom-dep:start-server-and-test | AI (phantom-deps): Used in npm scripts only; CLI tool pattern. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Declared dep used in test config/helpers; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:sinon | AI (phantom-deps): Test mocking library used via config; expected phantom-dep for test packages. | ai | |
| phantom-deps | phantom-dep:tinylicious | AI (phantom-deps): Used as a local test server via npm scripts, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:mocha | AI (phantom-deps): Test runner declared as dep and used via config/scripts; phantom-dep heuristic false positive for test packages. | ai | |
| phantom-deps | phantom-dep:mocha-multi-reporters | AI (phantom-deps): Referenced in mocha config files; expected for test infrastructure packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Test package in the FluidFramework monorepo; README linking to framework docs is expected, not spam. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Used in npm scripts only; expected phantom-dep pattern for CLI tools. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 2.101.1 | 30 / 15 | |
| 2.101.0 | 30 / 15 | |
| 2.100.1 | 30 / 15 | |
| 2.100.0 | 30 / 15 | |
| 2.92.0 | 30 / 15 | |
| 2.81.0 | 30 / 15 | |
| 2.74.0 | 31 / 15 | |
| 2.70.0 | 31 / 14 | |
| 2.60.0 | 31 / 14 | |
| 2.53.0 | 31 / 14 | |
| 2.52.0 | 31 / 14 | |
| 2.51.0 | 31 / 14 | |
| 2.42.0 | 31 / 15 | |
| 2.33.2 | 31 / 15 |
v2.101.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.101.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.100.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.100.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.92.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.81.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.74.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.70.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.60.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.53.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.52.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.51.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.42.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.33.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.