@jupyterlab/services — Greenflagged

Client APIs for the Jupyter services REST APIs

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

darianblink1073jasongroutfcollonvaljtpiombektaskrassowskijupyterlab-release-bot

Keywords

jupyternotebookservices

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:ws	AI (phantom-deps): ws is a legitimate runtime dependency used for WebSocket support; phantom-dep fires due to dynamic/conditional import patterns in this isomorphic library.	ai	2026/04/24
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): node-fetch is loaded via eval('require')('node-fetch') to avoid bundler inclusion; static analysis cannot detect this dynamic import. Legitimate runtime dependency.	ai	2026/04/24
semgrep	semgrep:eval-usage	AI (semgrep): eval('require') is a hardcoded static string used to conditionally load node-fetch in Node.js environments without bundler interference — a well-known legitimate isomorphic pattern with no dynamic input.	ai	2026/04/24
phantom-deps	phantom-dep:@types/text-encoding	AI (phantom-deps): Type-only package used for TypeScript compilation; not directly imported at runtime is expected behavior for @types packages.	ai	2026/04/24
provenance	no-provenance	AI (provenance): This is a legacy version predating npm provenance attestation; absence is expected and not a risk signal for this well-established package.	ai	2026/04/24
dependencies	unvetted-dep:@types/text-encoding	AI (dependencies): @types/text-encoding is a TypeScript type definition package with no runtime code; it poses no security risk for this package.	ai	2026/04/24
phantom-deps	phantom-dep:@types/minimist	AI (phantom-deps): @types/minimist as a runtime dep is a harmless quirk of older TypeScript project conventions; no security implication.	ai	2026/04/24
dependencies	unvetted-dep:phosphor	AI (dependencies): phosphor was the official predecessor UI framework for JupyterLab; its use in early @jupyterlab/services versions is expected and legitimate.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Migration from jupyterlab-release-bot to GitHub Actions OIDC publishing with SLSA provenance; legitimate CI/CD infrastructure change for the JupyterLab project.	ai	2026/04/23
dependencies	unvetted-dep:@jupyterlab/coreutils	AI (dependencies): Known JupyterLab sibling package; expected dependency for @jupyterlab/services.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Inflated semver is expected for JupyterLab monorepo packages published at their monorepo version. README signal is a false positive for this legitimate Project Jupyter package.	ai	2026/04/21
dependencies	unvetted-dep:@jupyterlab/settingregistry	AI (dependencies): Known JupyterLab sibling package; expected dependency for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@jupyter/ydoc	AI (dependencies): Known JupyterLab ecosystem dependency; expected transitive dep for this package.	ai	2026/04/21
dependencies	unvetted-dep:@lumino/polling	AI (dependencies): Known Lumino ecosystem dependency; expected for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@lumino/coreutils	AI (dependencies): Known Lumino ecosystem dependency; expected for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@lumino/signaling	AI (dependencies): Known Lumino ecosystem dependency; expected for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@lumino/disposable	AI (dependencies): Known Lumino ecosystem dependency; expected for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@lumino/properties	AI (dependencies): Known Lumino ecosystem dependency; expected for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@jupyterlab/statedb	AI (dependencies): Known JupyterLab sibling package; expected dependency for @jupyterlab/services.	ai	2026/04/21
dependencies	unvetted-dep:@jupyterlab/nbformat	AI (dependencies): Known JupyterLab sibling package; expected dependency for @jupyterlab/services.	ai	2026/04/21

Versions (showing 16 of 216)

Version	Deps	Published
0.34.0	6 / 15	2016-11-21
0.33.1	6 / 15	2016-11-18
0.33.0	6 / 15	2016-11-18
0.32.0	6 / 15	2016-11-15
0.31.0	6 / 15	2016-11-14
0.30.2	6 / 15	2016-11-04
0.30.1	6 / 15	2016-11-04
0.30.0	6 / 15	2016-11-04
0.29.0	6 / 15	2016-11-02
0.28.0	6 / 15	2016-11-02
0.27.0	6 / 15	2016-11-01
0.26.0	6 / 15	2016-10-28
0.25.0	6 / 15	2016-10-26
0.24.0	6 / 15	2016-10-19
0.23.0	6 / 15	2016-10-19
0.22.0	7 / 15	2016-10-14

v0.34.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.33.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.33.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.32.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.31.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.30.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.30.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.30.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.29.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.28.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.27.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.26.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.25.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.24.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.23.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.22.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.