@internetarchive/donation-monthly-portal

The Internet Archive Monthly Portal

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bfallingmitraardronvbanoskngenieiisacdrininsharma123dualcnhqlatonvibnesayeedtracey.poohjim-at-iajeffwkleinrebecca-shoptawjbucknerdhallia

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Internet Archive org packages consistently lack Sigstore provenance; stable false positive for this package family.	ai	2026/05/11
dependencies	unvetted-dep:@internetarchive/donation-form	AI (dependencies): Same-org @internetarchive scoped dependency; expected for this package family.	ai	2026/05/11
dependencies	unvetted-dep:@internetarchive/donation-form-section	AI (dependencies): Same-org @internetarchive scoped dependency; expected for this package family.	ai	2026/05/11
dependencies	unvetted-dep:@internetarchive/iaux-notification-toast	AI (dependencies): Same-org @internetarchive scoped dependency; expected for this package family.	ai	2026/05/11
dependencies	unvetted-dep:@internetarchive/donation-form-data-models	AI (dependencies): Same-org @internetarchive scoped dependency; expected for this package family.	ai	2026/05/11
phantom-deps	phantom-dep:@internetarchive/iaux-notification-toast	AI (phantom-deps): Same-org dependency declared in package.json; phantom-dep heuristic is unreliable for re-exported or type-only imports.	ai	2026/05/05

Versions (showing 9 of 9)

Version	Deps	Published
7.0.8	6 / 26	2025-11-03
7.0.7	6 / 26	2025-11-03
7.0.6	6 / 26	2025-11-03
7.0.5	6 / 26	2025-08-29
7.0.4	6 / 26	2025-08-01
7.0.3	6 / 26	2025-08-01
7.0.2	6 / 26	2025-07-29
7.0.1	6 / 26	2025-07-17
7.0.0	6 / 26	2025-07-08