@mcpmesh/sdk — Greenflagged

TypeScript SDK for MCP Mesh — build distributed AI agents with auto-discovery, dependency injection, and LLM integration

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mcp-mesh

Keywords

mcpmeshagentllmfastmcpexpress

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publisher is backed by SLSA provenance attestation; consistent CI/CD publishing pattern.	ai	2026/05/22
dependencies	unvetted-dep:handlebars	AI (dependencies): Pinned to ^4.7.8 which is the patched release; no active CVEs at this range.	ai	2026/05/16
source-diff	large-new-source-files	AI (source-diff): Major version (v2.0.0) with expanded SDK scope; large file count expected.	ai	2026/05/16
provenance	no-provenance	AI (provenance): Absence of Sigstore provenance is common; no other risk signals elevate this.	ai	2026/05/15
phantom-deps	phantom-dep:mcp-proxy	AI (phantom-deps): SDK pattern; declared as runtime dep used via config, not direct import.	ai	2026/04/30
phantom-deps	phantom-dep:@ai-sdk/google-vertex	AI (phantom-deps): Optional AI provider dep referenced in config, not directly imported.	ai	2026/04/30
phantom-deps	phantom-dep:@ai-sdk/google	AI (phantom-deps): Optional AI provider dep referenced in config, not directly imported.	ai	2026/04/30
phantom-deps	phantom-dep:@ai-sdk/openai	AI (phantom-deps): Optional AI provider dep referenced in config, not directly imported.	ai	2026/04/30
phantom-deps	phantom-dep:@ai-sdk/anthropic	AI (phantom-deps): Optional AI provider dep referenced in config, not directly imported.	ai	2026/04/30

Versions (showing 27 of 27)

Version	Deps	Published
2.3.0	12 / 7	2026-05-23
2.2.4	12 / 7	2026-05-21
2.2.0	12 / 7	2026-05-19
2.1.0	12 / 7	2026-05-17
2.0.1	12 / 7	2026-05-16
2.0.0	12 / 7	2026-05-14
1.4.1	11 / 7	2026-04-28
1.3.4	10 / 7	2026-04-18
1.3.3	10 / 7	2026-04-16
1.3.1	10 / 7	2026-04-14
1.3.0	10 / 7	2026-04-14
1.2.0	10 / 7	2026-04-09
1.1.0	9 / 7	2026-04-05
1.0.1	9 / 7	2026-03-29
0.9.12	9 / 7	2026-03-15
0.9.10	9 / 7	2026-03-10
0.9.9	9 / 7	2026-03-05
0.9.8	9 / 7	2026-02-22
0.9.7	9 / 7	2026-02-22
0.9.6	9 / 7	2026-02-19
0.9.5	9 / 7	2026-02-18
0.9.4	9 / 7	2026-02-11
0.9.3	9 / 7	2026-02-10
0.9.1	9 / 7	2026-02-08
0.9.0	9 / 7	2026-02-08
0.8.1	9 / 7	2026-01-29
0.8.0	9 / 7	2026-01-28

v2.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.4

2 findings

HIGH Publisher changed: mcp-mesh → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.