@neovici/cosmoz-utils — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

nomegocristineculawurpermegheaiulian

Keywords

polymerweb-components

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Neovici migrated to GitHub Actions publishing with SLSA attestation; this pattern is expected for all future versions.	ai	2026/05/26
provenance	slsa-provenance	AI (provenance): Package consistently published via CI/CD with Sigstore attestation; stable supply chain signal.	ai	2026/05/14

Versions (showing 16 of 16)

Version	Deps	Published
6.21.0	1 / 13	2026-05-27
6.20.2	1 / 13	2026-04-28
6.20.1	1 / 13	2026-03-31
6.20.0	1 / 13	2026-03-23
6.19.0	1 / 13	2026-02-06
6.18.0	1 / 13	2026-02-02
6.17.2	1 / 13	2026-02-01
6.17.1	1 / 13	2026-01-28
6.17.0	1 / 12	2025-12-09
6.16.1	1 / 12	2025-12-09
6.16.0	1 / 12	2025-11-27
6.15.1	1 / 12	2025-10-23
6.15.0	1 / 12	2025-09-23
6.14.2	1 / 12	2025-08-19
6.14.1	1 / 12	2025-08-04
6.14.0	1 / 12	2025-07-21

v6.21.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.20.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.20.0

2 findings

HIGH Publisher changed: nomego → GitHub Actions (on 2026-03-23) provenance

This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.19.0

2 findings

HIGH Publisher changed: nomego → GitHub Actions (on 2026-02-06) provenance

This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.18.0

2 findings

HIGH Publisher changed: nomego → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.17.2

2 findings

HIGH Publisher changed: nomego → GitHub Actions (on 2026-02-01) provenance

This version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.17.1

2 findings

HIGH Publisher changed: nomego → GitHub Actions (on 2026-01-28) provenance

This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.