@lage-run/config — Greenflagged

Config management for Lage

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

microsoft1eskenotron_msftecraig12345_msft

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing for a Microsoft-owned repo; SLSA attestation confirms integrity.	ai	2026/05/18
dependencies	unvetted-dep:backfill-config	AI (dependencies): backfill-config is a known Microsoft-ecosystem build caching tool; unvetted status reflects review pipeline gap, not malicious risk.	ai	2026/04/25
dependencies	unvetted-dep:workspace-tools	AI (dependencies): workspace-tools is a well-known monorepo utility used broadly in the Microsoft JS ecosystem; no malicious indicators.	ai	2026/04/25
dependencies	unvetted-dep:@lage-run/logger	AI (dependencies): Sibling package within the microsoft/lage monorepo; unvetted status is a pipeline artifact, not a security concern.	ai	2026/04/25
dependencies	unvetted-dep:@lage-run/runners	AI (dependencies): Sibling package within the microsoft/lage monorepo; unvetted status is a pipeline artifact, not a security concern.	ai	2026/04/25
dependencies	unvetted-dep:@lage-run/target-graph	AI (dependencies): Sibling package within the microsoft/lage monorepo; unvetted status is a pipeline artifact, not a security concern.	ai	2026/04/25

Versions (showing 22 of 22)

Version	Deps	Published
0.9.10	6 / 1	2026-05-01
0.9.9	6 / 1	2026-04-25
0.9.8	6 / 1	2026-04-25
0.9.7	6 / 1	2026-04-16
0.9.6	6 / 1	2026-04-10
0.9.5	6 / 1	2026-04-08
0.9.4	6 / 1	2026-04-06
0.9.3	6 / 1	2026-04-02
0.9.2	6 / 1	2026-03-26
0.9.1	6 / 1	2026-03-19
0.9.0	6 / 1	2026-03-17
0.8.0	6 / 1	2026-02-27
0.7.3	6 / 1	2026-02-10
0.7.2	6 / 1	2026-01-24
0.7.1	6 / 1	2026-01-15
0.7.0	6 / 1	2025-10-21
0.6.0	6 / 1	2025-09-25
0.5.0	6 / 1	2025-09-01
0.4.17	6 / 1	2025-08-07
0.4.16	6 / 1	2025-08-01
0.4.15	6 / 1	2025-04-29
0.4.14	6 / 1	2025-04-26

v0.9.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.8

2 findings

HIGH Publisher changed: ecraig12345_msft → GitHub Actions (on 2026-04-25) provenance

This version was published by a different npm account than previous versions on 2026-04-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.7

2 findings

HIGH Publisher changed: ecraig12345_msft → GitHub Actions (on 2026-04-16) provenance

This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.6

2 findings

HIGH Publisher changed: ecraig12345_msft → GitHub Actions (on 2026-04-10) provenance

This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.