@goldstack/template-ssr-server-compile-bundle
Utility for compiling client side bundles for SSR application
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:react | AI (phantom-deps): SSR bundle compiler; react declared as peer/template dep, not directly imported in library code. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Same as react — template/SSR tooling pattern, not a direct import. | ai | |
| phantom-deps | phantom-dep:@goldstack/infra | AI (phantom-deps): Same-org scope; stable false positive for goldstack monorepo packages. | ai | |
| phantom-deps | phantom-dep:@types/aws-lambda | AI (phantom-deps): Framework-scoped type package loaded by convention; stable FP. | ai | |
| phantom-deps | phantom-dep:lambda-compression | AI (phantom-deps): Referenced in config/template files; stable FP for this build-tool package. | ai | |
| phantom-deps | phantom-dep:source-map-support | AI (phantom-deps): Injected at runtime by esbuild/template; not directly imported. | ai | |
| phantom-deps | phantom-dep:@goldstack/infra-aws | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| phantom-deps | phantom-dep:@goldstack/utils-esbuild | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| phantom-deps | phantom-dep:@goldstack/utils-package | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| phantom-deps | phantom-dep:@goldstack/utils-template | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| phantom-deps | phantom-dep:@goldstack/utils-terraform | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| phantom-deps | phantom-dep:@goldstack/utils-package-config-embedded | AI (phantom-deps): Same-org scope; stable FP for goldstack monorepo. | ai | |
| provenance | no-provenance | AI (provenance): Established package predating widespread provenance adoption; no other risk signals. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.3.108 | 17 / 12 | |
| 0.3.72 | 17 / 14 | |
| 0.3.71 | 17 / 14 | |
| 0.3.70 | 17 / 14 |
v0.3.108
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.72
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.71
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.70
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.