@nsshunt/stsrunnerframework
STS Runner Framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Dependency is bundled into dist output; not directly imported in source but legitimately used. | ai | |
| phantom-deps | phantom-dep:detect-node | AI (phantom-deps): Dependency is bundled into dist output; not directly imported in source but legitimately used. | ai | |
| phantom-deps | phantom-dep:fflate | AI (phantom-deps): fflate is declared as a runtime dep and likely bundled/tree-shaken; phantom-dep heuristic fires on bundled packages routinely. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 244 versions; lack of provenance is consistent across all releases and not a new signal. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is declared as a runtime dep; phantom-dep heuristic fires but it may be re-exported or used indirectly. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): lodash.merge is declared as a runtime dep; phantom-dep heuristic fires but usage may be in bundled output. | ai |
Versions (showing 63 of 63)
| Version | Deps | Published |
|---|---|---|
| 2.0.40 | 6 / 9 | |
| 2.0.39 | 6 / 9 | |
| 2.0.38 | 6 / 9 | |
| 2.0.37 | 6 / 9 | |
| 2.0.36 | 6 / 9 | |
| 2.0.35 | 6 / 9 | |
| 2.0.34 | 6 / 9 | |
| 2.0.33 | 6 / 9 | |
| 2.0.32 | 6 / 9 | |
| 2.0.31 | 6 / 9 | |
| 2.0.30 | 6 / 9 | |
| 2.0.29 | 6 / 9 | |
| 2.0.28 | 6 / 9 | |
| 2.0.27 | 6 / 9 | |
| 2.0.26 | 6 / 9 | |
| 2.0.25 | 6 / 9 | |
| 2.0.24 | 6 / 9 | |
| 2.0.23 | 6 / 9 | |
| 2.0.22 | 6 / 9 | |
| 2.0.21 | 6 / 9 | |
| 2.0.20 | 6 / 9 | |
| 2.0.19 | 6 / 9 | |
| 2.0.18 | 5 / 9 | |
| 2.0.17 | 5 / 9 | |
| 2.0.16 | 5 / 9 | |
| 2.0.15 | 5 / 9 | |
| 2.0.14 | 5 / 9 | |
| 2.0.13 | 5 / 9 | |
| 2.0.12 | 5 / 9 | |
| 2.0.11 | 6 / 10 | |
| 2.0.10 | 6 / 10 | |
| 2.0.9 | 6 / 10 | |
| 2.0.8 | 7 / 9 | |
| 2.0.7 | 7 / 9 | |
| 2.0.6 | 7 / 9 | |
| 2.0.5 | 7 / 9 | |
| 2.0.4 | 7 / 9 | |
| 2.0.3 | 7 / 9 | |
| 2.0.2 | 7 / 9 | |
| 2.0.1 | 7 / 9 | |
| 1.0.200 | 7 / 9 | |
| 1.0.199 | 7 / 9 | |
| 1.0.198 | 7 / 9 | |
| 1.0.197 | 7 / 9 | |
| 1.0.195 | 7 / 9 | |
| 1.0.194 | 7 / 9 | |
| 1.0.193 | 7 / 9 | |
| 1.0.192 | 7 / 9 | |
| 1.0.191 | 7 / 9 | |
| 1.0.190 | 6 / 9 | |
| 1.0.189 | 6 / 9 | |
| 1.0.188 | 6 / 9 | |
| 1.0.187 | 6 / 9 | |
| 1.0.186 | 6 / 9 | |
| 1.0.185 | 6 / 9 | |
| 1.0.184 | 6 / 9 | |
| 1.0.183 | 6 / 9 | |
| 1.0.182 | 6 / 9 | |
| 1.0.181 | 6 / 9 | |
| 1.0.180 | 6 / 9 | |
| 1.0.179 | 6 / 9 | |
| 1.0.178 | 6 / 9 | |
| 1.0.177 | 6 / 9 |
v2.0.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.199
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.198
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.197
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.195
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.194
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.193
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.192
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.191
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.190
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.189
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.188
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.187
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.186
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.185
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.184
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.183
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.182
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.181
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.180
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.179
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.178
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.177
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.