@lookiero/style-profile
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-peer-dep:@lookiero/i18n | AI (dependencies): Internal org peer dependency; stable pattern across versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @expo/metro-runtime is a legitimate Expo ecosystem dep consistent with existing expo peer deps in this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-units | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-tracking | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-sp-tradename | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-ab-testing | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-expo-config | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-react-native | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-notifications | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-quiz-style-profile-common-ui | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump (v2→v3); large file count increase expected for a significant release. | ai | |
| dependencies | unvetted-dep:@lookiero/messaging | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-ui | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/data-sources | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-http | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-i18n | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-uuid | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/look-and-like | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-locale | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/messaging-react | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-logging | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@lookiero/sty-psp-segment | AI (dependencies): Internal @lookiero org dep; stable pattern across all versions of this package. | ai | |
| phantom-deps | phantom-dep:react-native-worklets | AI (phantom-deps): Platform-specific binary dep; phantom-dep heuristic unreliable for RN native modules. | ai | |
| phantom-deps | phantom-dep:@lookiero/data-sources | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for internal monorepo packages. | ai | |
| phantom-deps | phantom-dep:@lookiero/sty-psp-units | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for internal monorepo packages. | ai | |
| phantom-deps | phantom-dep:@lookiero/sty-psp-expo-config | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for internal monorepo packages. | ai | |
| phantom-deps | phantom-dep:@lookiero/sty-psp-react-native | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for internal monorepo packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Internal org package; missing description is consistent across all @lookiero packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal org package; missing metadata is expected for private/internal npm packages. | ai | |
| provenance | no-provenance | AI (provenance): Internal org package; provenance not expected for private org packages. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 5.1.0 | 28 / 15 | |
| 4.4.4 | 24 / 16 | |
| 3.7.0 | 24 / 16 | |
| 3.3.2 | 24 / 14 | |
| 3.3.0 | 24 / 14 | |
| 3.2.0 | 24 / 14 | |
| 3.1.0 | 24 / 14 | |
| 3.0.0 | 25 / 14 | |
| 2.40.0 | 25 / 12 | |
| 2.39.0 | 24 / 12 | |
| 2.38.0 | 24 / 12 | |
| 2.37.1 | 24 / 12 | |
| 2.37.0 | 24 / 12 | |
| 2.36.2 | 24 / 12 |
v4.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.36.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.