@icanbwell/bwell-sdk-ts
b.well TypeScript SDK
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change to icanbwell-admin reflects org-level account consolidation; stable for this package. | ai | |
| dependencies | unvetted-dep:@opentelemetry/instrumentation-fetch | AI (dependencies): Official OpenTelemetry package; stable, well-known CNCF project with no malicious indicators. | ai | |
| dependencies | unvetted-dep:@opentelemetry/instrumentation-xml-http-request | AI (dependencies): Official OpenTelemetry package; stable, well-known CNCF project with no malicious indicators. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation-fetch | AI (phantom-deps): Referenced in config files only; legitimate OpenTelemetry instrumentation dep pattern for this SDK. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-http | AI (phantom-deps): Referenced in config files only; legitimate OpenTelemetry exporter dep pattern for this SDK. | ai |
Versions (showing 51 of 83)
| Version | Deps | Published |
|---|---|---|
| 1.95.0 | 12 / 22 | |
| 1.94.0 | 12 / 22 | |
| 1.93.0 | 12 / 22 | |
| 1.92.0 | 12 / 22 | |
| 1.91.0 | 12 / 22 | |
| 1.90.0 | 12 / 22 | |
| 1.89.0 | 12 / 23 | |
| 1.88.0 | 12 / 23 | |
| 1.87.0 | 12 / 23 | |
| 1.86.0 | 12 / 23 | |
| 1.85.0 | 12 / 23 | |
| 1.84.0 | 12 / 23 | |
| 1.83.0 | 12 / 23 | |
| 1.82.0 | 12 / 23 | |
| 1.81.0 | 12 / 23 | |
| 1.80.1 | 12 / 23 | |
| 1.80.0 | 12 / 23 | |
| 1.79.0 | 12 / 23 | |
| 1.78.0 | 12 / 23 | |
| 1.77.1 | 12 / 23 | |
| 1.77.0 | 12 / 23 | |
| 1.76.0 | 12 / 23 | |
| 1.75.0 | 12 / 23 | |
| 1.74.0 | 12 / 23 | |
| 1.73.0 | 12 / 23 | |
| 1.72.0 | 12 / 23 | |
| 1.71.0 | 12 / 23 | |
| 1.70.1 | 12 / 23 | |
| 1.70.0 | 12 / 23 | |
| 1.68.4 | 12 / 23 | |
| 1.68.3 | 12 / 23 | |
| 1.68.2 | 12 / 23 | |
| 1.68.0 | 12 / 23 | |
| 1.67.0 | 12 / 23 | |
| 1.66.0 | 12 / 23 | |
| 1.65.0 | 12 / 23 | |
| 1.64.0 | 12 / 23 | |
| 1.63.0 | 12 / 23 | |
| 1.62.0 | 12 / 23 | |
| 1.61.0 | 12 / 23 | |
| 1.60.0 | 12 / 23 | |
| 1.59.0 | 12 / 23 | |
| 1.58.0 | 12 / 23 | |
| 1.57.0 | 12 / 23 | |
| 1.56.0 | 12 / 23 | |
| 1.54.0 | 12 / 23 | |
| 1.53.0 | 12 / 23 | |
| 1.52.0 | 12 / 23 | |
| 1.51.0 | 12 / 23 | |
| 1.50.0 | 12 / 23 | |
| 1.49.0 | 12 / 23 |
v1.95.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.94.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.93.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.91.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.88.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.87.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.86.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.84.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.83.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.82.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.81.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.80.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.80.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.79.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.76.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.75.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.74.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.73.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.72.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.71.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.70.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.70.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.68.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.68.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.68.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.68.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.67.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.66.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.65.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.64.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.63.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.62.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.61.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.60.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.59.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.58.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.57.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.56.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.54.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.53.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.52.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.51.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.50.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.49.0
2 findingsThis version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.