@malloydata/malloy-tag — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

malloy-lang-usergmadenscullinmtoy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing is confirmed by SLSA provenance attestation; expected for this monorepo.	ai	2026/05/22
dependencies	unvetted-dep:antlr4ts	AI (dependencies): antlr4ts is the standard ANTLR4 TS runtime; its use is consistent with this parser-building package across all versions.	ai	2026/05/11
semgrep	semgrep:child-process-import	AI (semgrep): child_process used only in build_parser.js for ANTLR codegen; not an install script or runtime path.	ai	2026/05/05
phantom-deps	phantom-dep:assert	AI (phantom-deps): assert is a declared runtime dependency in package.json; phantom-dep heuristic misfires here.	ai	2026/04/29

Versions (showing 100 of 106)

Version	Deps	Published
0.0.405	2 / 2	2026-06-04
0.0.404	2 / 2	2026-06-04
0.0.403	2 / 2	2026-05-28
0.0.402	2 / 2	2026-05-28
0.0.401	2 / 2	2026-05-27
0.0.400	2 / 2	2026-05-26
0.0.399	2 / 2	2026-05-25
0.0.398	2 / 2	2026-05-23
0.0.397	2 / 2	2026-05-23
0.0.396	2 / 2	2026-05-21
0.0.395	2 / 2	2026-05-14
0.0.394	2 / 2	2026-05-13
0.0.393	2 / 2	2026-05-07
0.0.392	2 / 2	2026-05-07
0.0.391	2 / 2	2026-05-02
0.0.390	2 / 2	2026-05-02
0.0.389	2 / 2	2026-05-02
0.0.388	2 / 2	2026-05-01
0.0.387	2 / 2	2026-04-28
0.0.386	2 / 2	2026-04-28
0.0.385	2 / 2	2026-04-27
0.0.384	2 / 2	2026-04-27
0.0.383	2 / 2	2026-04-26
0.0.382	2 / 2	2026-04-23
0.0.381	2 / 2	2026-04-22
0.0.380	2 / 2	2026-04-17
0.0.379	2 / 2	2026-04-17
0.0.378	2 / 2	2026-04-16
0.0.377	2 / 2	2026-04-14
0.0.376	2 / 2	2026-04-14
0.0.375	2 / 2	2026-04-13
0.0.374	2 / 2	2026-04-10
0.0.373	2 / 2	2026-04-10
0.0.372	2 / 2	2026-04-08
0.0.371	2 / 2	2026-04-08
0.0.370	2 / 2	2026-04-05
0.0.369	2 / 2	2026-04-02
0.0.368	2 / 2	2026-04-01
0.0.367	2 / 2	2026-03-25
0.0.366	2 / 2	2026-03-24
0.0.365	2 / 2	2026-03-23
0.0.364	2 / 2	2026-03-23
0.0.363	2 / 2	2026-03-22
0.0.362	2 / 2	2026-03-17
0.0.361	2 / 2	2026-03-14
0.0.360	2 / 2	2026-03-12
0.0.359	2 / 2	2026-03-12
0.0.358	2 / 2	2026-03-11
0.0.357	2 / 2	2026-03-11
0.0.356	2 / 2	2026-03-11
0.0.355	2 / 2	2026-03-11
0.0.354	2 / 2	2026-03-10
0.0.353	2 / 2	2026-03-08
0.0.352	2 / 2	2026-03-07
0.0.351	2 / 2	2026-03-07
0.0.350	2 / 2	2026-03-03
0.0.349	2 / 2	2026-02-26
0.0.348	2 / 2	2026-02-26
0.0.347	2 / 2	2026-02-25
0.0.346	2 / 2	2026-02-25
0.0.345	2 / 2	2026-02-25
0.0.344	2 / 2	2026-02-21
0.0.343	2 / 2	2026-02-19
0.0.342	2 / 2	2026-02-18
0.0.341	2 / 2	2026-02-17
0.0.340	2 / 2	2026-02-17
0.0.339	1 / 3	2026-02-15
0.0.338	1 / 3	2026-02-15
0.0.337	1 / 3	2026-02-13
0.0.336	1 / 3	2026-02-07
0.0.335	3 / 3	2026-01-17
0.0.332	3 / 3	2026-01-02
0.0.327	3 / 3	2025-12-20
0.0.326	3 / 3	2025-12-13
0.0.325	3 / 3	2025-12-05
0.0.324	3 / 3	2025-11-22
0.0.321	3 / 3	2025-11-07
0.0.320	3 / 3	2025-11-07
0.0.319	3 / 3	2025-11-01
0.0.318	3 / 3	2025-10-27
0.0.317	3 / 3	2025-10-24
0.0.316	3 / 3	2025-10-23
0.0.315	3 / 3	2025-10-11
0.0.313	3 / 3	2025-09-24
0.0.312	3 / 3	2025-09-22
0.0.311	3 / 3	2025-09-19
0.0.310	3 / 3	2025-09-12
0.0.309	3 / 3	2025-09-07
0.0.307	3 / 3	2025-08-26
0.0.306	3 / 3	2025-08-21
0.0.303	3 / 3	2025-08-11
0.0.302	3 / 3	2025-08-09
0.0.301	3 / 3	2025-08-08
0.0.299	3 / 3	2025-07-25
0.0.298	3 / 3	2025-07-24
0.0.294	3 / 3	2025-06-30
0.0.291	3 / 3	2025-06-11
0.0.290	3 / 3	2025-06-10
0.0.285	3 / 3	2025-05-29
0.0.284	3 / 3	2025-05-28

Showing 100 of 106 Next page →

v0.0.405

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.404

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.403

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.402

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.401

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.400

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.399

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.398

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.397

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.396

2 findings

HIGH Publisher changed: scullin → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.