@lemoncloud/ssocio2-backend-api
ssocio-v2 service backend api
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Internal API package; no provenance is consistent across all 95 versions and poses no exploit risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal/ecosystem API package; sparse metadata is consistent with private org tooling published publicly. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 0.26.526 | 4 / 0 | |
| 0.26.516 | 4 / 0 | |
| 0.26.514 | 4 / 0 | |
| 0.26.511 | 4 / 0 | |
| 0.26.507 | 4 / 0 | |
| 0.26.428 | 4 / 0 | |
| 0.26.419 | 4 / 0 | |
| 0.26.414 | 4 / 0 | |
| 0.26.323 | 4 / 0 | |
| 0.26.312 | 4 / 0 | |
| 0.26.219 | 4 / 0 | |
| 0.26.128 | 4 / 0 | |
| 0.25.1112 | 4 / 0 | |
| 0.25.1111 | 4 / 0 | |
| 0.25.1110 | 4 / 0 | |
| 0.25.1024 | 4 / 0 | |
| 0.25.1023 | 4 / 0 | |
| 0.25.924 | 4 / 0 | |
| 0.25.916 | 4 / 0 | |
| 0.25.730 | 4 / 0 | |
| 0.25.729 | 4 / 0 | |
| 0.25.728 | 4 / 0 | |
| 0.25.616 | 4 / 0 | |
| 0.25.527 | 4 / 0 | |
| 0.25.526 | 4 / 0 | |
| 0.25.522 | 4 / 0 | |
| 0.25.518 | 4 / 0 |
v0.26.526
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.516
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.514
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.511
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.507
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.419
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.414
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.323
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.312
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.219
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.128
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1111
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1024
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1023
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.924
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.916
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.730
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.729
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.728
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.616
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.527
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.526
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.522
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.518
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.