@jupyterlab/buildutils BSD-3-Clause 19 versions

@jupyterlab/buildutils

npm Repository Homepage

JupyterLab - Build Utilities

19

Versions

BSD-3-Clause

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

darianblink1073jasongroutfcollonvaljtpiombektaskrassowskijupyterlab-release-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): JupyterLab migrated publishing to GitHub Actions CI with SLSA provenance; this is a legitimate infra change, not a takeover.	ai	2026/05/07
publish-pattern	dormant-publish	AI (publish-pattern): Long gap explained by CI/CD pipeline migration; SLSA attestation confirms legitimate automated publish.	ai	2026/05/07
semgrep	semgrep:dynamic-require	AI (semgrep): Build utility reads package.json files dynamically by path — expected pattern for this tooling.	ai	2026/05/02
semgrep	semgrep:child-process-import	AI (semgrep): Build/repo management tool legitimately shells out to npm and other CLI tools.	ai	2026/05/02
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 0.0.0.0 is a localhost binding for a local Verdaccio test registry, not an external exfiltration endpoint.	ai	2026/05/02
phantom-deps	phantom-dep:verdaccio	AI (phantom-deps): Verdaccio is used as a local test registry; referenced in config but not imported directly — stable false positive.	ai	2026/05/02

Versions (showing 19 of 19)

Version	Deps	Published
4.5.8	18 / 7	2026-06-04
4.5.7	18 / 7	2026-04-29
4.5.6	18 / 7	2026-03-11
4.5.5	18 / 7	2026-02-23
4.5.4	18 / 7	2026-02-11
4.5.3	18 / 7	2026-01-23
4.5.2	18 / 7	2026-01-12
4.5.1	18 / 7	2025-12-15
4.5.0	18 / 7	2025-11-18
4.4.10	18 / 7	2025-10-22
4.4.9	18 / 7	2025-09-26
4.4.8	18 / 7	2025-09-25
4.4.7	18 / 7	2025-09-03
4.4.6	18 / 7	2025-08-15
4.4.5	18 / 7	2025-07-20
4.4.4	18 / 7	2025-06-28
4.4.3	18 / 7	2025-05-26
4.4.2	18 / 7	2025-05-06
4.3.8	18 / 7	2025-06-24

v4.5.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.4

2 findings

HIGH Publisher changed: jupyterlab-release-bot → GitHub Actions (on 2026-02-11) provenance

This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.3

2 findings

HIGH Publisher changed: jupyterlab-release-bot → GitHub Actions (on 2026-01-23) provenance

This version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.2

2 findings

HIGH Publisher changed: jupyterlab-release-bot → GitHub Actions (on 2026-01-12) provenance

This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.3.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.