← Home

@golemio/core

npm Repository Homepage
7
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sinacekbenaktomoict-robot

Keywords

golemio

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@types/geojson AI (phantom-deps): @types packages declared as runtime deps for TypeScript consumers; not directly imported by convention. ai
publish-pattern rapid-publish AI (publish-pattern): CI/CD pipeline with 1083 versions; rapid successive publishes are expected for automated releases. ai
phantom-deps phantom-dep:@types/qs AI (phantom-deps): @types packages declared as runtime deps for TypeScript consumers; not directly imported by convention. ai
phantom-deps phantom-dep:@types/luxon AI (phantom-deps): @types packages declared as runtime deps for TypeScript consumers; not directly imported by convention. ai
phantom-deps phantom-dep:@types/amqplib AI (phantom-deps): @types packages declared as runtime deps for TypeScript consumers; not directly imported by convention. ai
phantom-deps phantom-dep:@types/express AI (phantom-deps): @types packages declared as runtime deps for TypeScript consumers; not directly imported by convention. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped @golemio/core is a long-established internal framework package, not a typosquat of 'cors'. ai
phantom-deps phantom-dep:pg AI (phantom-deps): pg is a common optional DB driver declared for downstream use; stable false positive for this package. ai
phantom-deps phantom-dep:dotenv AI (phantom-deps): dotenv loaded via test scripts, not direct import; stable false positive. ai
phantom-deps phantom-dep:fast-glob AI (phantom-deps): Used in build/config context; stable false positive for this package. ai
phantom-deps phantom-dep:pino-pretty AI (phantom-deps): Dev/logging utility loaded by convention; stable false positive. ai
phantom-deps phantom-dep:apicache-plus AI (phantom-deps): Loaded by framework convention; stable false positive. ai

Versions (showing 7 of 7)

Version Deps Published
3.1.1 59 / 37
3.0.7 59 / 36
3.0.6 59 / 36
3.0.5 59 / 36
3.0.4 59 / 36
2.0.4 59 / 36
2.0.2 59 / 36

v3.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.5

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@golemio/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.4

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@golemio/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.