@fluidframework/server-memory-orderer
3
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ms-fluid-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established Microsoft package; lack of Sigstore provenance is common and not a disqualifier here. | ai | |
| dependencies | unvetted-dep:sillyname | AI (dependencies): sillyname is a well-known lightweight name-generation utility used by FluidFramework for generating human-readable identifiers. | ai | |
| dependencies | unvetted-dep:@types/double-ended-queue | AI (dependencies): Type definitions for double-ended-queue; benign dev/type dependency in this FluidFramework package. | ai | |
| dependencies | unvetted-dep:@fluidframework/common-utils | AI (dependencies): First-party FluidFramework utility package from the same Microsoft org. | ai | |
| dependencies | unvetted-dep:@fluidframework/protocol-definitions | AI (dependencies): First-party FluidFramework protocol definitions from the same Microsoft org. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Back-release of v6.0.1 after v7.0.1 is consistent with LTS patch backporting in large frameworks, not account takeover. | ai | |
| phantom-deps | phantom-dep:@types/ws | AI (phantom-deps): @types packages declared for TypeScript compilation; not imported at runtime — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Same as above; @types/node is a standard TypeScript dev dependency pattern. | ai | |
| phantom-deps | phantom-dep:@types/debug | AI (phantom-deps): Same as above; @types/debug used for TypeScript type resolution. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Same as above; @types/lodash used for TypeScript type resolution. | ai | |
| phantom-deps | phantom-dep:@types/double-ended-queue | AI (phantom-deps): Same as above; @types package for TypeScript compilation only. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established FluidFramework monorepo package; short README and no keywords are consistent across the entire package family. | ai |
v7.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.