@mxpicture/build-api
Build utilities API
32
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mxpicture
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Package is published via GitHub Actions CI/CD; lack of Sigstore provenance is common and not a security threat for this org's packages. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is a legitimate build utility dependency used indirectly by this package's utilities; phantom-dep pattern is expected for utility libraries. | ai | |
| phantom-deps | phantom-dep:micromatch | AI (phantom-deps): micromatch is a legitimate build utility dependency used indirectly; phantom-dep pattern is expected for utility libraries. | ai | |
| phantom-deps | phantom-dep:@commander-js/extra-typings | AI (phantom-deps): Type definitions package used indirectly with commander; phantom-dep pattern is expected for utility libraries. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a type definition package for a TypeScript build utilities library; declaring it as a dep without direct imports is standard practice. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): Referenced in config files rather than direct imports; expected pattern for ESLint plugin dependencies in a build utilities package. | ai | |
| phantom-deps | phantom-dep:@types/micromatch | AI (phantom-deps): @types/micromatch is a TypeScript type declaration package; declaring it as a dependency without direct imports is standard practice in TypeScript projects. | ai | |
| phantom-deps | phantom-dep:@mxpicture/dep-analyzer | AI (phantom-deps): Same-org scoped package from @mxpicture; phantom usage is consistent with internal tooling loaded indirectly or via dist output. | ai |
Versions (showing 32 of 232)
| Version | Deps | Published |
|---|---|---|
| 0.2.36 | 7 / 1 | |
| 0.2.35 | 7 / 1 | |
| 0.2.34 | 7 / 1 | |
| 0.2.33 | 7 / 1 | |
| 0.2.32 | 7 / 1 | |
| 0.2.31 | 7 / 1 | |
| 0.2.30 | 7 / 1 | |
| 0.2.29 | 7 / 1 | |
| 0.2.28 | 7 / 1 | |
| 0.2.27 | 8 / 1 | |
| 0.2.26 | 7 / 1 | |
| 0.2.25 | 7 / 1 | |
| 0.2.24 | 7 / 1 | |
| 0.2.23 | 7 / 1 | |
| 0.2.22 | 9 / 1 | |
| 0.2.21 | 9 / 1 | |
| 0.2.20 | 9 / 1 | |
| 0.2.19 | 9 / 1 | |
| 0.2.18 | 9 / 1 | |
| 0.2.17 | 9 / 1 | |
| 0.2.15 | 9 / 1 | |
| 0.2.14 | 7 / 1 | |
| 0.2.13 | 3 / 1 | |
| 0.2.12 | 3 / 1 | |
| 0.2.11 | 3 / 1 | |
| 0.2.10 | 3 / 1 | |
| 0.2.9 | 3 / 1 | |
| 0.2.8 | 3 / 1 | |
| 0.2.7 | 3 / 1 | |
| 0.2.6 | 3 / 1 | |
| 0.2.5 | 3 / 1 | |
| 0.2.4 | 3 / 1 |
v0.2.27
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.9
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.