← Home

@lowdefy/server

npm Repository Homepage
11
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

samtolmaygervwykmachielvdw

Keywords

lowdefyserver

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): New maintainer is within the same lowdefy org; consistent with team growth on an established package. ai
provenance publisher-changed AI (provenance): Package migrated to GitHub Actions CI publishing with SLSA provenance; legitimate org-level change for lowdefy monorepo. ai
publish-pattern new-deps-added AI (publish-pattern): New dep is same-org @lowdefy scope at matching version, consistent with monorepo coordinated release pattern. ai
phantom-deps phantom-dep:@lowdefy/operators-nunjucks AI (phantom-deps): Same-org plugin dep declared for runtime resolution, not direct import; stable pattern for this package. ai
phantom-deps phantom-dep:@lowdefy/operators-uuid AI (phantom-deps): Same-org plugin dep declared for runtime resolution, not direct import; stable pattern for this package. ai
phantom-deps phantom-dep:@lowdefy/connection-axios-http AI (phantom-deps): Same-org plugin dep declared for runtime resolution, not direct import; stable pattern for this package. ai
phantom-deps phantom-dep:@lowdefy/blocks-markdown AI (phantom-deps): Same-org plugin dep declared for runtime resolution, not direct import; stable pattern for this package. ai
phantom-deps phantom-dep:@lowdefy/connection-mongodb AI (phantom-deps): Same-org plugin dep declared for runtime resolution, not direct import; stable pattern for this package. ai
dependencies unvetted-dep:@sentry/nextjs AI (dependencies): Sentry Next.js SDK is a well-known observability library; pinned to exact version in a mature monorepo. ai
phantom-deps phantom-dep:@tailwindcss/postcss AI (phantom-deps): PostCSS config-referenced dep; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/actions-core AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/blocks-basic AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
typosquat typosquat.levenshtein:semver AI (typosquat): @lowdefy/server is a scoped monorepo package; Levenshtein match to 'semver' is a false positive with no brand/namespace overlap. ai
phantom-deps phantom-dep:@lowdefy/blocks-loaders AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/plugin-next-auth AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/operators-js AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in plugin-loader (createCustomPluginTypesMap.mjs) is a documented plugin resolution pattern; stable for this package. ai
phantom-deps phantom-dep:pino AI (phantom-deps): Peer/config-referenced dep in Next.js server package; not a real phantom dependency. ai
phantom-deps phantom-dep:dayjs AI (phantom-deps): Config-referenced dep; stable false positive for this package. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): Next.js peer dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:react-icons AI (phantom-deps): Config-referenced dep; stable false positive for this package. ai
phantom-deps phantom-dep:tailwindcss AI (phantom-deps): PostCSS/Tailwind config-referenced dep; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/layout AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:@lowdefy/blocks-antd AI (phantom-deps): Same-org monorepo dep referenced in config; stable false positive. ai

Versions (showing 11 of 11)

Version Deps Published
5.3.0 29 / 7
5.2.0 28 / 7
5.1.0 27 / 7
5.0.0 27 / 7
4.7.3 28 / 8
4.7.2 28 / 8
4.7.1 28 / 8
4.7.0 28 / 8
4.6.0 28 / 8
4.5.2 24 / 8
4.5.1 24 / 8

v5.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.2

2 findings
HIGH Publisher changed: samtolmay → GitHub Actions (on 2026-03-25) provenance

This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.1

2 findings
HIGH Publisher changed: samtolmay → GitHub Actions (on 2026-03-19) provenance

This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.7.0

2 findings
HIGH Publisher changed: samtolmay → GitHub Actions (on 2026-03-11) provenance

This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.6.0

2 findings
HIGH Publisher changed: samtolmay → GitHub Actions (on 2026-03-09) provenance

This version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.