@lonik/prestige
Static Site Generator for Tanstack Start
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Publisher has clean track record; likely CI environment change, not a supply-chain indicator for this package. | ai | |
| dependencies | unvetted-dep:@lonik/themer | AI (dependencies): Same publisher namespace with approved track record; stable first-party dependency. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 43 versions in registry; 0.0.0 is a placeholder convention for this active project, not a throwaway malicious package. | ai | |
| phantom-deps | phantom-dep:remark-toc | AI (phantom-deps): Remark plugin dep; used via config, stable false positive for this SSG package. | ai | |
| phantom-deps | phantom-dep:remark-parse | AI (phantom-deps): Remark pipeline dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vfile-matter | AI (phantom-deps): Remark/vfile pipeline dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@mdx-js/react | AI (phantom-deps): MDX dep used via config/peer; stable false positive. | ai | |
| phantom-deps | phantom-dep:remark-rehype | AI (phantom-deps): Remark pipeline dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): SSG framework; deps used via config/plugin resolution, not direct imports — stable false positive. | ai | |
| phantom-deps | phantom-dep:@mdx-js/rollup | AI (phantom-deps): MDX rollup plugin dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:rehype-stringify | AI (phantom-deps): Rehype pipeline dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vite-tsconfig-paths | AI (phantom-deps): Vite plugin dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:remark-mdx-frontmatter | AI (phantom-deps): Remark plugin dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/typography | AI (phantom-deps): Tailwind plugin dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vfile-message | AI (phantom-deps): Vfile ecosystem dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:vfile | AI (phantom-deps): Same as above — remark/rehype pipeline dep, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): File-watching dep used via vite plugin config, not direct import. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 0.15.0 | 38 / 32 | |
| 0.14.0 | 38 / 32 | |
| 0.13.4 | 39 / 32 | |
| 0.13.3 | 39 / 32 | |
| 0.13.2 | 39 / 32 | |
| 0.13.1 | 39 / 32 | |
| 0.13.0 | 39 / 32 | |
| 0.12.1 | 39 / 33 | |
| 0.12.0 | 39 / 33 | |
| 0.11.6 | 38 / 33 | |
| 0.11.5 | 38 / 33 | |
| 0.11.4 | 38 / 33 | |
| 0.11.3 | 38 / 33 | |
| 0.11.2 | 38 / 33 | |
| 0.11.1 | 38 / 33 | |
| 0.11.0 | 38 / 33 | |
| 0.10.1 | 38 / 33 | |
| 0.10.0 | 38 / 33 | |
| 0.9.0 | 38 / 33 | |
| 0.8.0 | 37 / 33 | |
| 0.7.0 | 35 / 33 | |
| 0.6.3 | 35 / 33 | |
| 0.6.2 | 35 / 33 | |
| 0.6.1 | 35 / 33 | |
| 0.6.0 | 35 / 33 | |
| 0.5.0 | 35 / 33 | |
| 0.4.0 | 35 / 33 | |
| 0.3.8 | 35 / 30 | |
| 0.3.7 | 34 / 30 | |
| 0.3.6 | 4 / 30 | |
| 0.3.5 | 4 / 30 | |
| 0.3.4 | 4 / 30 | |
| 0.3.3 | 4 / 30 | |
| 0.3.2 | 4 / 30 | |
| 0.3.1 | 0 / 30 | |
| 0.3.0 | 0 / 30 | |
| 0.2.2 | 0 / 30 | |
| 0.2.1 | 0 / 30 | |
| 0.2.0 | 0 / 30 | |
| 0.1.7 | 0 / 30 | |
| 0.1.6 | 0 / 30 | |
| 0.1.5 | 0 / 30 | |
| 0.0.0 | 0 / 30 |
v0.15.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lonik.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.