@mxpicture/build-api — Greenflagged

Build utilities API

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mxpicture

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Package is published via GitHub Actions CI/CD; lack of Sigstore provenance is common and not a security threat for this org's packages.	ai	2026/04/26
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a legitimate build utility dependency used indirectly by this package's utilities; phantom-dep pattern is expected for utility libraries.	ai	2026/04/26
phantom-deps	phantom-dep:micromatch	AI (phantom-deps): micromatch is a legitimate build utility dependency used indirectly; phantom-dep pattern is expected for utility libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@commander-js/extra-typings	AI (phantom-deps): Type definitions package used indirectly with commander; phantom-dep pattern is expected for utility libraries.	ai	2026/04/26
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a type definition package for a TypeScript build utilities library; declaring it as a dep without direct imports is standard practice.	ai	2026/04/26
phantom-deps	phantom-dep:@typescript-eslint/eslint-plugin	AI (phantom-deps): Referenced in config files rather than direct imports; expected pattern for ESLint plugin dependencies in a build utilities package.	ai	2026/04/26
phantom-deps	phantom-dep:@types/micromatch	AI (phantom-deps): @types/micromatch is a TypeScript type declaration package; declaring it as a dependency without direct imports is standard practice in TypeScript projects.	ai	2026/04/26
phantom-deps	phantom-dep:@mxpicture/dep-analyzer	AI (phantom-deps): Same-org scoped package from @mxpicture; phantom usage is consistent with internal tooling loaded indirectly or via dist output.	ai	2026/04/26

Versions (showing 51 of 232)

View all versions

Version	Deps	Published
0.4.42	16 / 0	2026-05-22
0.4.41	16 / 0	2026/05/22
0.4.40	16 / 0	2026-05-22
0.4.39	16 / 0	2026-05-22
0.4.37	15 / 0	2026-05-08
0.4.36	15 / 0	2026-05-07
0.4.35	15 / 0	2026-05-05
0.4.34	15 / 0	2026-05-05
0.4.33	15 / 0	2026-05-05
0.4.32	15 / 0	2026-05-05
0.4.31	15 / 0	2026-05-05
0.4.23	15 / 0	2026-05-05
0.4.22	15 / 0	2026-05-05
0.4.21	15 / 0	2026-05-05
0.4.20	15 / 0	2026-05-05
0.4.19	15 / 0	2026-05-04
0.4.18	15 / 0	2026-05-04
0.4.17	14 / 0	2026-05-04
0.4.16	14 / 0	2026-05-04
0.4.15	14 / 0	2026-05-04
0.4.14	14 / 0	2026-05-04
0.4.13	14 / 0	2026-05-04
0.4.12	14 / 0	2026-05-04
0.4.11	14 / 0	2026-05-04
0.4.10	14 / 0	2026-05-04
0.4.9	14 / 0	2026-05-04
0.4.8	14 / 0	2026-05-03
0.4.7	14 / 0	2026-05-03
0.4.6	14 / 0	2026-05-03
0.4.5	14 / 0	2026-05-03
0.4.4	14 / 0	2026-05-03
0.4.3	14 / 0	2026-05-03
0.4.2	14 / 0	2026-05-02
0.3.106	14 / 0	2026-05-01
0.3.105	14 / 0	2026-04-30
0.3.104	14 / 0	2026-04-30
0.3.103	14 / 0	2026-04-30
0.3.102	14 / 0	2026-04-30
0.3.101	14 / 0	2026-04-30
0.3.100	14 / 0	2026-04-30
0.3.99	14 / 0	2026-04-29
0.3.98	14 / 0	2026-04-29
0.3.97	14 / 0	2026-04-29
0.3.96	15 / 1	2026-04-29
0.3.95	15 / 1	2026-04-29
0.3.94	15 / 1	2026-04-29
0.3.93	15 / 1	2026-04-28
0.3.92	15 / 1	2026-04-28
0.3.91	15 / 1	2026-04-28
0.3.90	15 / 1	2026-04-28
0.3.89	15 / 1	2026-04-28