@hydrooj/utils
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation present; publisher has prior approved record; no code changes from prior version. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is scoped to pm2 binary path resolution; not user-controlled arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@hydrooj/register | AI (phantom-deps): Same-org package used as a runtime registration hook; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:cac | AI (phantom-deps): CLI utility dep; phantom-dep heuristic likely fires due to indirect/config-level usage. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.5.5 | 7 / 1 | |
| 1.5.4 | 7 / 1 | |
| 1.5.0 | 7 / 1 | |
| 1.4.36 | 7 / 1 | |
| 1.4.35 | 7 / 1 |
v1.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.