@highstate/backend — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

exeteres

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:hex-decode	AI (semgrep): Decoding master key from hex env var — legitimate crypto key loading pattern.	ai	2026/06/01
phantom-deps	phantom-dep:ulid	AI (phantom-deps): Listed as runtime dep; bundled output may inline it without direct import in source.	ai	2026/06/01
phantom-deps	phantom-dep:flexsearch	AI (phantom-deps): Stable false positive for this bundled package.	ai	2026/06/01
phantom-deps	phantom-dep:rev-dep	AI (phantom-deps): Stable false positive for this bundled package.	ai	2026/06/01
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type-only package loaded by convention; stable false positive.	ai	2026/05/30
phantom-deps	phantom-dep:crypto-hash	AI (phantom-deps): Referenced in config files; stable false positive.	ai	2026/05/20
semgrep	semgrep:base64-decode	AI (semgrep): Prisma-generated WASM loader; stable pattern across versions.	ai	2026/05/20
phantom-deps	phantom-dep:@prisma/driver-adapter-utils	AI (phantom-deps): Prisma adapter used at runtime via Prisma internals.	ai	2026/05/20
phantom-deps	phantom-dep:classic-level	AI (phantom-deps): Referenced in config files; stable false positive.	ai	2026/05/20
npm-metadata	no-description	AI (npm-metadata): Scoped workspace package; missing description is benign.	ai	2026/05/20
phantom-deps	phantom-dep:prisma	AI (phantom-deps): Prisma CLI used in scripts, not imported in source.	ai	2026/05/20
phantom-deps	phantom-dep:consola	AI (phantom-deps): Likely used transitively or in config; stable for this package.	ai	2026/05/20
phantom-deps	phantom-dep:ansi-colors	AI (phantom-deps): Referenced in config files; stable false positive.	ai	2026/05/20

Versions (showing 17 of 17)

Version	Deps	Published
0.21.1	37 / 9	2026-04-27
0.20.0	37 / 10	2026-04-25
0.9.22	33 / 10	2025-09-21
0.9.21	33 / 10	2025-09-20
0.9.20	33 / 9	2025-09-18
0.9.18	30 / 8	2025-07-31
0.9.15	19 / 5	2025-06-24
0.9.14	19 / 5	2025-06-23
0.9.13	19 / 5	2025-06-23
0.9.12	19 / 5	2025-06-15
0.9.11	19 / 5	2025-06-15
0.9.10	19 / 5	2025-06-14
0.9.9	19 / 5	2025-06-06
0.9.8	19 / 5	2025-06-05
0.9.7	19 / 5	2025-05-31
0.9.6	19 / 5	2025-05-31
0.9.5	19 / 5	2025-05-31

v0.21.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.20.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.22

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.