@lage-run/cache-github-actions
Github Action Cache for Lage
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Microsoft/lage uses GitHub Actions CI for publishing; SLSA attestation confirms legitimate automated pipeline, not account compromise. | ai | |
| dependencies | unvetted-dep:@actions/cache | AI (dependencies): @actions/cache is the official GitHub Actions cache package from the actions org; legitimate dependency for a GitHub Actions cache integration. | ai | |
| dependencies | unvetted-dep:backfill-config | AI (dependencies): backfill-config is part of the Microsoft backfill build caching ecosystem, a legitimate dependency for this lage cache package. | ai | |
| dependencies | unvetted-dep:backfill-logger | AI (dependencies): backfill-logger is part of the Microsoft backfill ecosystem; legitimate dependency for this lage cache package. | ai | |
| dependencies | unvetted-dep:workspace-tools | AI (dependencies): workspace-tools is a Microsoft monorepo utility used throughout the lage ecosystem; legitimate dependency. | ai | |
| phantom-deps | phantom-dep:backfill-logger | AI (phantom-deps): backfill-logger is a legitimate Microsoft package referenced in config files; phantom dep finding is a minor code hygiene issue, not a security concern. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.1.37 | 4 / 1 | |
| 0.1.36 | 4 / 1 | |
| 0.1.35 | 4 / 1 | |
| 0.1.34 | 4 / 1 | |
| 0.1.33 | 4 / 1 | |
| 0.1.32 | 4 / 1 | |
| 0.1.31 | 4 / 1 | |
| 0.1.30 | 4 / 1 | |
| 0.1.29 | 4 / 1 | |
| 0.1.28 | 4 / 1 | |
| 0.1.27 | 4 / 1 | |
| 0.1.26 | 4 / 1 | |
| 0.1.25 | 4 / 1 |
v0.1.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.35
2 findingsThis version was published by a different npm account than previous versions on 2026-04-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.34
2 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.