@highstate/cert-manager

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

exeteres

Keywords

pulumikubernetescategory/cloudkind/native

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Standard Pulumi provider SDK generation postinstall; consistent with this package's established pattern.	ai	2026/05/11
phantom-deps	phantom-dep:tmp	AI (phantom-deps): Phantom-dep heuristic; tmp is used indirectly in config/runtime.	ai	2026/05/05
phantom-deps	phantom-dep:@types/tmp	AI (phantom-deps): Type package loaded by convention; stable pattern for this package.	ai	2026/05/05
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): Phantom-dep heuristic; node-fetch used indirectly in config.	ai	2026/05/05
phantom-deps	phantom-dep:@types/node-fetch	AI (phantom-deps): Type package loaded by convention; stable pattern for this package.	ai	2026/05/05
phantom-deps	phantom-dep:glob	AI (phantom-deps): Build/config tooling; declared for build scripts, not runtime imports.	ai	2026/04/29
phantom-deps	phantom-dep:shell-quote	AI (phantom-deps): Declared for type definitions (@types/shell-quote); runtime usage via types.	ai	2026/04/29
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type definitions loaded by convention in TypeScript projects.	ai	2026/04/29
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Build-time dependency; TypeScript projects declare but don't import the compiler.	ai	2026/04/29

Versions (showing 42 of 42)

Version	Deps	Published
0.20.0	6 / 3	2026-04-27
0.14.0	9 / 5	2025-12-28
0.13.2	9 / 5	2025-12-19
0.13.1	9 / 5	2025-12-19
0.13.0	9 / 5	2025-12-19
0.12.1	9 / 5	2025-12-14
0.12.0	9 / 5	2025-12-07
0.11.7	9 / 5	2025-11-16
0.11.6	9 / 5	2025-11-16
0.11.4	9 / 5	2025-10-16
0.10.0	8 / 5	2025-10-13
0.9.37	8 / 5	2025-10-12
0.9.36	8 / 5	2025-10-12
0.9.35	8 / 5	2025-10-12
0.9.34	8 / 5	2025-10-11
0.9.33	8 / 5	2025-10-07
0.9.32	8 / 5	2025-10-06
0.9.31	8 / 5	2025-10-01
0.9.30	8 / 5	2025-09-30
0.9.29	8 / 5	2025-09-28
0.9.28	8 / 5	2025-09-28
0.9.27	8 / 5	2025-09-28
0.9.26	8 / 5	2025-09-21
0.9.25	8 / 5	2025-09-21
0.9.24	8 / 5	2025-09-21
0.9.23	8 / 5	2025-09-21
0.9.21	8 / 5	2025-09-20
0.9.20	8 / 5	2025-09-18
0.9.19	8 / 5	2025-09-12
0.9.18	8 / 5	2025-07-31
0.9.16	8 / 5	2025-07-20
0.9.15	8 / 5	2025-06-24
0.9.14	8 / 5	2025-06-23
0.9.13	8 / 5	2025-06-23
0.9.12	8 / 5	2025-06-15
0.9.11	8 / 5	2025-06-15
0.9.10	8 / 5	2025-06-14
0.9.9	8 / 5	2025-06-06
0.9.8	8 / 5	2025-06-05
0.9.7	8 / 5	2025-05-31
0.9.6	8 / 5	2025-05-31
0.9.5	8 / 5	2025-05-31

v0.14.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.4

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: exeteres.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.