@lobu/connector-worker — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

buremba

Keywords

workerconnectorembeddingcontentuser-research

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:sharp	AI (phantom-deps): sharp is a known optional native binding; not directly imported but used at runtime.	ai	2026/05/26
phantom-deps	phantom-dep:jimp	AI (phantom-deps): jimp is a runtime image-processing dep referenced in config; phantom-dep is a stable false positive here.	ai	2026/05/26
phantom-deps	phantom-dep:playwright	AI (phantom-deps): playwright aliased via npm alias (patchright); config-referenced, not directly imported.	ai	2026/05/26
phantom-deps	phantom-dep:playwright-vanilla	AI (phantom-deps): playwright-vanilla is an npm alias for playwright; config-referenced, not directly imported.	ai	2026/05/26
phantom-deps	phantom-dep:@xenova/transformers	AI (phantom-deps): ML embedding dep referenced in config; runtime-loaded, stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@lobu/worker	AI (phantom-deps): Same-org monorepo dep; phantom-dep is a stable false positive.	ai	2026/05/26

Versions (showing 5 of 5)

Version	Deps	Published
9.3.0	9 / 3	2026-05-24
7.1.0	9 / 3	2026-05-18
7.0.0	7 / 3	2026-05-14
6.1.1	7 / 3	2026-05-10
6.0.1	6 / 3	2026-05-04