@malloydata/db-duckdb
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher is confirmed legitimate by SLSA/Sigstore provenance attestation on this and subsequent releases. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @duckdb/node-api is the official DuckDB Node API; addition is consistent with this DuckDB connector package's purpose. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package is part of active malloydata monorepo with 1502+ versions; dormancy flag is a false positive for this sub-package. | ai | |
| dependencies | unvetted-dep:@duckdb/node-api | AI (dependencies): @duckdb/node-api is the official DuckDB Node.js API; expected dependency for this DuckDB connector package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped org package in a large monorepo; sparse README and no keywords are expected for internal packages. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 1500+ versions; no provenance is consistent across all prior releases. | ai |
Versions (showing 51 of 81)
| Version | Deps | Published |
|---|---|---|
| 0.0.396 | 6 / 0 | |
| 0.0.395 | 6 / 0 | |
| 0.0.393 | 6 / 0 | |
| 0.0.387 | 6 / 0 | |
| 0.0.385 | 6 / 0 | |
| 0.0.384 | 6 / 0 | |
| 0.0.381 | 6 / 0 | |
| 0.0.379 | 6 / 0 | |
| 0.0.376 | 6 / 0 | |
| 0.0.375 | 6 / 0 | |
| 0.0.374 | 6 / 0 | |
| 0.0.373 | 6 / 0 | |
| 0.0.370 | 6 / 0 | |
| 0.0.368 | 6 / 0 | |
| 0.0.361 | 6 / 0 | |
| 0.0.342 | 6 / 0 | |
| 0.0.336 | 6 / 0 | |
| 0.0.334 | 6 / 0 | |
| 0.0.332 | 6 / 0 | |
| 0.0.331 | 6 / 0 | |
| 0.0.330 | 6 / 0 | |
| 0.0.329 | 6 / 0 | |
| 0.0.328 | 6 / 0 | |
| 0.0.327 | 6 / 0 | |
| 0.0.326 | 6 / 0 | |
| 0.0.325 | 6 / 0 | |
| 0.0.324 | 6 / 0 | |
| 0.0.323 | 6 / 0 | |
| 0.0.322 | 6 / 0 | |
| 0.0.321 | 6 / 0 | |
| 0.0.320 | 6 / 0 | |
| 0.0.319 | 6 / 0 | |
| 0.0.318 | 6 / 0 | |
| 0.0.317 | 6 / 0 | |
| 0.0.316 | 6 / 0 | |
| 0.0.315 | 6 / 0 | |
| 0.0.314 | 6 / 0 | |
| 0.0.313 | 6 / 0 | |
| 0.0.312 | 6 / 0 | |
| 0.0.311 | 6 / 0 | |
| 0.0.310 | 6 / 0 | |
| 0.0.309 | 6 / 0 | |
| 0.0.308 | 6 / 0 | |
| 0.0.307 | 6 / 0 | |
| 0.0.306 | 6 / 0 | |
| 0.0.305 | 6 / 0 | |
| 0.0.304 | 6 / 0 | |
| 0.0.303 | 6 / 0 | |
| 0.0.302 | 6 / 0 | |
| 0.0.301 | 6 / 0 | |
| 0.0.300 | 6 / 0 |
v0.0.396
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.395
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.393
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.385
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.384
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.381
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.379
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.376
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.375
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.374
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.373
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.370
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.368
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.361
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.342
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.336
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.334
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.332
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.331
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.330
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.329
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.328
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.327
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.326
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.325
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.324
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.323
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.322
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.321
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.320
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.319
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.318
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.317
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.316
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.315
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.314
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.313
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.312
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.311
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.310
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.309
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.308
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.307
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.306
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.305
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.304
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.303
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.302
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.301
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.300
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.