@fugood/bricks-project
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Established package with long history; missing description is metadata gap, not malware signal. | ai | |
| provenance | no-provenance | AI (provenance): Provenance is a best-practice; absence is not a security disqualifier for established packages. | ai | |
| dependencies | unvetted-dep:@huggingface/gguf | AI (dependencies): Official HuggingFace GGUF parsing library; legitimate dependency for an AI/ML tooling package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal/org-scoped package with 205 versions; sparse metadata is a style choice, not a spam indicator. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Pattern is passing process.env to a subprocess spawn call — standard practice, not exfiltration. | ai | |
| phantom-deps | phantom-dep:@fugood/bricks-cli | AI (phantom-deps): Same org scope; likely used indirectly via CLI invocation rather than direct import. | ai | |
| phantom-deps | phantom-dep:@types/bun | AI (phantom-deps): Type-only package loaded by convention in Bun projects; not directly imported. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Type-only package; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:@types/escodegen | AI (phantom-deps): Type-only package; not directly imported by convention. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 2.24.6 | 14 / 0 | |
| 2.24.5 | 14 / 0 | |
| 2.24.4 | 14 / 0 | |
| 2.24.3 | 14 / 0 | |
| 2.24.2 | 14 / 0 | |
| 2.24.1 | 14 / 0 | |
| 2.24.0 | 13 / 0 | |
| 2.23.9 | 13 / 0 | |
| 2.23.8 | 13 / 0 | |
| 2.23.7 | 13 / 0 | |
| 2.23.6 | 13 / 0 | |
| 2.23.5 | 13 / 0 | |
| 2.23.3 | 13 / 0 | |
| 2.23.0 | 11 / 0 | |
| 2.22.10 | 7 / 0 | |
| 2.22.9 | 7 / 0 | |
| 2.22.8 | 7 / 0 | |
| 2.22.6 | 7 / 0 | |
| 2.22.5 | 7 / 0 | |
| 2.22.4 | 7 / 0 | |
| 2.22.3 | 7 / 0 | |
| 2.22.2 | 7 / 0 | |
| 2.22.1 | 7 / 0 | |
| 2.22.0 | 7 / 0 | |
| 2.21.14 | 7 / 0 | |
| 2.21.13 | 7 / 0 | |
| 2.21.12 | 7 / 0 | |
| 2.21.11 | 7 / 0 | |
| 2.21.10 | 7 / 0 | |
| 2.21.9 | 7 / 0 | |
| 2.21.8 | 7 / 0 | |
| 2.21.7 | 7 / 0 | |
| 2.21.6 | 7 / 0 | |
| 2.21.5 | 7 / 0 |
v2.24.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.21.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.21.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.