@grafana/create-plugin
Create Grafana plugins with ease.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require() loads package.json from process.cwd() — a fixed literal path, not user-controlled input. Standard pattern for CLI/scaffolding tools; no arbitrary module loading risk. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Handlebars is a standard templating library used legitimately in this scaffolding tool. Constraint ^4.7.8 pins to patched versions only. Stable false positive for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Official Grafana package published via CI/CD with SLSA provenance attestation; dormancy gap does not indicate account takeover for this org-controlled automated pipeline. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): @babel/parser is a transitive peer of recast (a direct dep); it is legitimately declared as a direct dep for version pinning. This is a stable false positive for this package. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 7.3.0 | 16 / 8 | |
| 7.2.2 | 16 / 8 | |
| 7.2.1 | 16 / 8 | |
| 7.2.0 | 16 / 8 | |
| 7.1.7 | 16 / 8 | |
| 7.1.6 | 16 / 8 | |
| 7.1.5 | 16 / 8 | |
| 7.1.4 | 16 / 8 | |
| 7.1.3 | 16 / 8 | |
| 7.1.2 | 16 / 8 | |
| 7.1.1 | 16 / 8 | |
| 7.1.0 | 16 / 8 | |
| 6.2.1 | 17 / 8 | |
| 6.1.10 | 15 / 8 | |
| 6.1.6 | 15 / 8 |
v7.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.