@geode/opengeodeweb-front
OpenSource Vue/Nuxt/Pinia/Vuetify framework for web applications
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publisher with SLSA attestation; consistent with org automation, not compromise. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Used in local Electron utility; consistent with the package's desktop/local server functionality. | ai | |
| phantom-deps | phantom-dep:vuetify | AI (phantom-deps): Nuxt/Vuetify framework package; deps loaded by convention via config, not direct import. | ai | |
| phantom-deps | phantom-dep:vue-recaptcha | AI (phantom-deps): Framework package; components referenced via config, not direct import. | ai | |
| phantom-deps | phantom-dep:vue3-carousel | AI (phantom-deps): Framework package; components referenced via config, not direct import. | ai | |
| phantom-deps | phantom-dep:js-file-download | AI (phantom-deps): Framework package; utility referenced via config, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): TypeScript types package, framework-scoped, not directly imported. | ai | |
| phantom-deps | phantom-dep:@vueuse/nuxt | AI (phantom-deps): Nuxt module loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:nuxt | AI (phantom-deps): Nuxt is a framework loaded by convention in nuxt.config.js, not directly imported. | ai | |
| phantom-deps | phantom-dep:vuetify-nuxt-module | AI (phantom-deps): Nuxt module loaded by convention in nuxt.config.js. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established framework package with 399 versions; sparse README is cosmetic, not a risk signal. | ai | |
| phantom-deps | phantom-dep:@vueuse/components | AI (phantom-deps): Vue plugin registered via config, not directly imported. | ai | |
| phantom-deps | phantom-dep:rxjs | AI (phantom-deps): rxjs is a peer/transitive dep used via @vueuse/rxjs, not directly imported. | ai | |
| phantom-deps | phantom-dep:sass | AI (phantom-deps): sass is a build-time preprocessor loaded by Nuxt/Vite config, not directly imported. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver used in scripts/tooling, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:@mdi/font | AI (phantom-deps): Icon font loaded via Vuetify config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@pinia/nuxt | AI (phantom-deps): Nuxt module loaded by convention in nuxt.config.js. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 10.24.2 | 33 / 14 | |
| 10.24.1 | 33 / 14 | |
| 10.24.0 | 33 / 14 | |
| 10.23.0 | 33 / 14 | |
| 10.22.1 | 33 / 14 | |
| 10.22.0 | 33 / 14 | |
| 10.21.0 | 33 / 14 | |
| 10.20.1 | 33 / 14 | |
| 10.20.0 | 33 / 14 | |
| 10.19.0 | 33 / 14 | |
| 10.18.2 | 33 / 14 | |
| 10.18.1 | 33 / 14 | |
| 10.18.0 | 33 / 14 | |
| 10.17.0 | 33 / 14 | |
| 10.16.1 | 33 / 14 | |
| 10.16.0 | 33 / 14 | |
| 10.15.0 | 33 / 14 | |
| 10.14.1 | 33 / 14 | |
| 10.14.0 | 33 / 14 | |
| 10.13.2 | 33 / 14 | |
| 10.13.1 | 33 / 14 | |
| 10.13.0 | 33 / 14 | |
| 10.12.0 | 33 / 14 | |
| 10.11.0 | 30 / 22 | |
| 10.10.1 | 30 / 22 | |
| 10.10.0 | 30 / 22 | |
| 10.0.0 | 21 / 23 | |
| 9.14.0 | 21 / 23 | |
| 9.13.1 | 21 / 23 | |
| 9.13.0 | 21 / 24 | |
| 9.12.2 | 22 / 24 | |
| 9.12.1 | 22 / 24 |
v10.24.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.22.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.20.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.18.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.18.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.14.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.13.2
2 findingsThis version was published by a different npm account than previous versions on 2026-04-18. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.13.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.13.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.12.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.11.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.10.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.10.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.13.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.