@livestore/peer-deps — Greenflagged

This is a convenience package that can be installed to satisfy peer dependencies of Livestore packages.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

schicklinglivestore-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@effect/sql	AI (phantom-deps): Same peer-deps pattern; no code to import into.	ai	2026/06/03
phantom-deps	phantom-dep:@effect/ai	AI (phantom-deps): peer-deps package intentionally declares deps without importing; pattern is stable across all versions.	ai	2026/06/03
phantom-deps	phantom-dep:@effect/rpc	AI (phantom-deps): Same peer-deps pattern; no code to import into.	ai	2026/06/03
phantom-deps	phantom-dep:@standard-schema/spec	AI (phantom-deps): Same peer-deps pattern; no code to import into.	ai	2026/06/03
phantom-deps	phantom-dep:@effect/vitest	AI (phantom-deps): Same peer-deps pattern; no code to import into.	ai	2026/06/03
phantom-deps	phantom-dep:@effect/cluster	AI (phantom-deps): Same peer-deps pattern; no code to import into.	ai	2026/06/03
bogus-package	bogus-package	AI (bogus-package): Intentional meta-package with no code; ships only package.json to satisfy peer deps. No-repo/no-keywords/tiny-payload are expected for this pattern.	ai	2026/05/09
phantom-deps	phantom-dep:@effect/platform-bun	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/printer-ansi	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/opentelemetry	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:effect	AI (phantom-deps): peer-deps package; all deps are intentionally declared but not imported — this is the package's entire purpose.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/platform-browser	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@opentelemetry/resources	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/platform-node	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/cli	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/printer	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/platform	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/typeclass	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@opentelemetry/api	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29
phantom-deps	phantom-dep:@effect/experimental	AI (phantom-deps): Same as above; no code files shipped.	ai	2026/04/29

Versions (showing 3 of 3)

Version	Deps	Published
0.4.0	19 / 0	2026-06-02
0.3.1	13 / 0	2025-06-06
0.3.0	13 / 0	2025-05-22

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.