← Home

@mastra/voice-google-gemini-live

npm Repository Homepage

Mastra Google Gemini Live API integration

18
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

smthomasabhiaiyertaofeeq-deruehinderocalcsamrase-wardpeettylerbarnesnikaiyer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/_types/@internal_voice/dist/_types/@internal_ai-sdk-v5/dist/index.d.ts AI (source-diff): Long lines are TypeScript declaration file content (type definitions), not obfuscated/malicious code. ai
provenance publisher-changed AI (provenance): Mastra monorepo migrated to GitHub Actions CI publishing with SLSA attestation; stable for this package going forward. ai
phantom-deps phantom-dep:zod AI (phantom-deps): zod is a peer dependency; phantom-dep false positive for peer dep pattern. ai
phantom-deps phantom-dep:@google/genai AI (phantom-deps): Runtime dep used in build output; phantom-dep heuristic misfires on bundled ESM packages. ai
phantom-deps phantom-dep:zod-to-json-schema AI (phantom-deps): Runtime dep likely used in bundled output; stable false positive for this package. ai

Versions (showing 18 of 18)

Version Deps Published
0.12.0 4 / 14
0.11.4 3 / 14
0.11.3 5 / 12
0.11.2 5 / 12
0.11.1 5 / 10
0.11.0 5 / 10
0.10.18 5 / 10
0.10.17 5 / 10
0.10.16 5 / 10
0.10.15 5 / 10
0.10.14 5 / 10
0.10.13 5 / 10
0.10.12 5 / 10
0.10.11 5 / 9
0.10.10 5 / 9
0.10.9 5 / 9
0.10.8 5 / 9
0.10.7 5 / 9

v0.12.0

2 findings
HIGH New obfuscated file: dist/_types/@internal_voice/dist/_types/@internal_ai-sdk-v5/dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.3

2 findings
HIGH Publisher changed: wardpeet → GitHub Actions (on 2026-03-11) provenance

This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.2

2 findings
HIGH Publisher changed: wardpeet → GitHub Actions (on 2026-02-19) provenance

This version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.17

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.