@mai0313/gotemp
A production-ready Go project template to bootstrap new projects fast. It includes a clean Go module layout, Docker, and a complete CI/CD suite.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions CI/CD with SLSA provenance attestation; this is the documented release mechanism for this package. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Package is a CLI tool that intentionally ships prebuilt Go binaries for multiple platforms; SLSA provenance attestation validates build integrity. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used to launch bundled platform binary — standard pattern for native CLI wrappers distributed via npm. | ai | |
| bogus-package | bogus-package | AI (bogus-package): No npm deps expected for a native binary wrapper; README links are project documentation, not a phishing farm. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.1.28 | 0 / 0 | |
| 0.1.27 | 0 / 0 | |
| 0.1.26 | 0 / 0 | |
| 0.1.25 | 0 / 0 | |
| 0.1.24 | 0 / 0 | |
| 0.1.23 | 0 / 0 | |
| 0.1.22 | 0 / 0 |
v0.1.28
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.27
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.25
2 findingsPackage contains compiled binaries that could be backdoors: • binaries/linux-arm64-gnu/go_template • binaries/linux-x64-gnu/go_template • binaries/macos-arm64/go_template • binaries/macos-x64/go_template • binaries/windows-arm64/go_template.exe • binaries/windows-x64/go_template.exe
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.24
2 findingsPackage contains compiled binaries that could be backdoors: • binaries/linux-arm64-gnu/go_template • binaries/linux-x64-gnu/go_template • binaries/macos-arm64/go_template • binaries/macos-x64/go_template • binaries/windows-arm64/go_template.exe • binaries/windows-x64/go_template.exe
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.23
2 findingsPackage contains compiled binaries that could be backdoors: • binaries/linux-arm64-gnu/go_template • binaries/linux-x64-gnu/go_template • binaries/macos-arm64/go_template • binaries/macos-x64/go_template • binaries/windows-arm64/go_template.exe • binaries/windows-x64/go_template.exe
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.22
2 findingsPackage contains compiled binaries that could be backdoors: • binaries/linux-arm64-gnu/go_template • binaries/linux-x64-gnu/go_template • binaries/macos-arm64/go_template • binaries/macos-x64/go_template • binaries/windows-arm64/go_template.exe • binaries/windows-x64/go_template.exe
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.