@itcase/config — Greenflagged

ITCase Config

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arkadiy_zamaraev

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): Package distributes configs; adding commitlint tooling deps is consistent with its purpose and both packages are well-established.	ai	2026/06/04
phantom-deps	phantom-dep:postcss-url	AI (phantom-deps): Config package re-exports deps via config files; not directly imported by design.	ai	2026/06/03
phantom-deps	phantom-dep:@rollup/plugin-terser	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-node-resolve	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-json	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-image	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-babel	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@lerna-lite/cli	AI (phantom-deps): Config package; lerna-lite tools referenced in config files, not direct imports.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-alias	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:@rollup/plugin-typescript	AI (phantom-deps): Rollup plugins loaded by convention in config; stable pattern for this package.	ai	2026/06/02
phantom-deps	phantom-dep:conventional-changelog-conventionalcommits	AI (phantom-deps): Config-file package; deps referenced in configs, not imported directly.	ai	2026/06/01
phantom-deps	phantom-dep:@semantic-release/release-notes-generator	AI (phantom-deps): Config-file package; deps referenced in configs, not imported directly.	ai	2026/06/01
phantom-deps	phantom-dep:@semantic-release/changelog	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:@commitlint/cz-commitlint	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:postcss-unit-processor	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:@semantic-release/git	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:@commitlint/cli	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:postcss-unit	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:@commitlint/config-conventional	AI (phantom-deps): Config package; deps are referenced in exported config files, not imported directly.	ai	2026/05/31
phantom-deps	phantom-dep:postcss-mq-extract	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:cssnano	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:@svgr/webpack	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-clamp	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-loader	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-urlrewrite	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-extend-rule	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:cssnano-preset-default	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-color-hsla-fallback	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:postcss-aspect-ratio-polyfill	AI (phantom-deps): Config-exporting package; deps referenced in config files, not JS imports. Stable pattern.	ai	2026/05/26
dependencies	unvetted-dep:chokidar-cli	AI (dependencies): Legitimate file-watcher CLI; stable tooling dep for this config package.	ai	2026/05/14
dependencies	unvetted-dep:rollup-plugin-peer-deps-external	AI (dependencies): Standard rollup plugin; expected in a build-tooling config package.	ai	2026/05/14
dependencies	unvetted-dep:postcss-aspect-ratio-polyfill	AI (dependencies): PostCSS plugin; consistent with this package's postcss config aggregation purpose.	ai	2026/05/14
dependencies	unvetted-dep:postcss-sort-media-queries	AI (dependencies): PostCSS plugin; consistent with this package's postcss config aggregation purpose.	ai	2026/05/14
dependencies	unvetted-dep:postcss-urlrewrite	AI (dependencies): PostCSS plugin; consistent with this package's postcss config aggregation purpose.	ai	2026/05/14
dependencies	unvetted-dep:postcss-unitlist	AI (dependencies): PostCSS plugin; consistent with this package's postcss config aggregation purpose.	ai	2026/05/14
dependencies	unvetted-dep:@lerna-lite/watch	AI (dependencies): Well-known lerna-lite monorepo tool; expected dep for a config aggregator.	ai	2026/05/14
dependencies	unvetted-dep:@lerna-lite/list	AI (dependencies): Well-known lerna-lite monorepo tool; expected dep for a config aggregator.	ai	2026/05/14
dependencies	unvetted-dep:@lerna-lite/exec	AI (dependencies): Well-known lerna-lite monorepo tool; expected dep for a config aggregator.	ai	2026/05/14
dependencies	unvetted-dep:@lerna-lite/run	AI (dependencies): Well-known lerna-lite monorepo tool; expected dep for a config aggregator.	ai	2026/05/14
dependencies	unvetted-dep:@lerna-lite/cli	AI (dependencies): Well-known lerna-lite monorepo tool; expected dep for a config aggregator.	ai	2026/05/14
phantom-deps	phantom-dep:autoprefixer	AI (phantom-deps): PostCSS plugin referenced in config files, not imported directly.	ai	2026/05/14
provenance	no-provenance	AI (provenance): Established package with 142 versions; lack of provenance is common and not a risk signal here.	ai	2026/05/14
phantom-deps	phantom-dep:semantic-release-lerna	AI (phantom-deps): Plugin referenced in config, not imported.	ai	2026/05/14
phantom-deps	phantom-dep:semantic-release	AI (phantom-deps): CLI tool referenced in config, not imported.	ai	2026/05/14
phantom-deps	phantom-dep:postcss	AI (phantom-deps): Config-only package; deps are referenced in config files, not imported directly. Stable pattern.	ai	2026/05/14
phantom-deps	phantom-dep:inquirer	AI (phantom-deps): Referenced in config, not imported directly.	ai	2026/05/14
phantom-deps	phantom-dep:commitizen	AI (phantom-deps): CLI tool referenced in config, not imported.	ai	2026/05/14
phantom-deps	phantom-dep:chokidar-cli	AI (phantom-deps): CLI tool referenced in config scripts, not imported.	ai	2026/05/14
phantom-deps	phantom-dep:postcss-cli	AI (phantom-deps): CLI tool referenced in config scripts, not imported. Expected for this package type.	ai	2026/05/14

Versions (showing 26 of 26)

Version	Deps	Published
1.6.57	67 / 9	2026-05-22
1.6.56	67 / 9	2026-04-14
1.6.55	67 / 9	2026-04-14
1.6.53	67 / 9	2026-03-19
1.6.51	66 / 8	2026-02-17
1.6.48	66 / 8	2026-02-06
1.6.45	66 / 8	2026-01-29
1.6.43	66 / 8	2026-01-21
1.6.42	66 / 8	2026-01-20
1.6.41	66 / 8	2026-01-20
1.6.35	66 / 8	2026-01-20
1.6.26	48 / 8	2026-01-16
1.6.25	48 / 8	2026-01-16
1.6.20	48 / 8	2026-01-12
1.6.19	48 / 8	2026-01-12
1.6.12	43 / 8	2026-01-06
1.6.4	43 / 8	2026-01-05
1.6.3	43 / 8	2026-01-05
1.5.0	43 / 8	2026-01-05
1.0.80	42 / 9	2026-01-05
1.0.79	42 / 9	2025-12-11
1.0.78	38 / 13	2025-12-11
1.0.70	35 / 12	2025-11-26
1.0.65	33 / 14	2025-11-16
1.0.53	33 / 14	2025-07-16
1.0.44	33 / 14	2025-05-20

v1.6.57

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.55

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.53

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.51

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.48

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.45

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.43

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.42

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.41

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.35

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.26

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.25

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.19

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.80

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.79

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.78

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.70

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.65

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.53

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.44

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.