@openrewrite/rewrite
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Large active project with frequent releases; occasional gitHead gaps are a CI config issue, not a supply-chain indicator. | ai | |
| phantom-deps | phantom-dep:dedent | AI (phantom-deps): dedent is declared in dependencies and likely used in dist output; phantom-dep heuristic false positive. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): commander/typescript/tmp-promise are established packages added for the RPC server feature; not suspicious for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from individual (zieka) to GitHub Actions CI publisher is expected for a maturing project; SLSA attestation confirms integrity. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child_process spawn options is standard; not exfiltration. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a type-only dep used at compile time; not imported at runtime. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves optional prettier peer dep by path; documented plugin-loader pattern. | ai |
Versions (showing 51 of 86)
| Version | Deps | Published |
|---|---|---|
| 8.84.4 | 12 / 9 | |
| 8.84.3 | 12 / 9 | |
| 8.84.2 | 12 / 9 | |
| 8.84.1 | 12 / 9 | |
| 8.84.0 | 12 / 9 | |
| 8.83.7 | 12 / 9 | |
| 8.83.6 | 12 / 9 | |
| 8.83.5 | 12 / 9 | |
| 8.83.4 | 12 / 9 | |
| 8.83.3 | 12 / 9 | |
| 8.83.2 | 12 / 9 | |
| 8.83.1 | 12 / 9 | |
| 8.83.0 | 12 / 9 | |
| 8.82.1 | 12 / 8 | |
| 8.82.0 | 12 / 8 | |
| 8.81.17 | 12 / 8 | |
| 8.81.16 | 12 / 8 | |
| 8.81.15 | 12 / 8 | |
| 8.81.14 | 12 / 8 | |
| 8.81.13 | 12 / 8 | |
| 8.81.12 | 12 / 8 | |
| 8.81.11 | 12 / 8 | |
| 8.81.10 | 12 / 8 | |
| 8.81.9 | 12 / 8 | |
| 8.81.8 | 12 / 8 | |
| 8.81.7 | 12 / 8 | |
| 8.81.6 | 12 / 8 | |
| 8.81.5 | 12 / 8 | |
| 8.81.4 | 12 / 8 | |
| 8.81.3 | 12 / 8 | |
| 8.81.2 | 12 / 8 | |
| 8.81.1 | 12 / 8 | |
| 8.81.0 | 12 / 8 | |
| 8.80.1 | 12 / 8 | |
| 8.80.0 | 12 / 8 | |
| 8.79.6 | 12 / 8 | |
| 8.79.5 | 12 / 8 | |
| 8.79.4 | 12 / 8 | |
| 8.79.3 | 12 / 8 | |
| 8.79.2 | 12 / 8 | |
| 8.79.1 | 12 / 8 | |
| 8.79.0 | 12 / 8 | |
| 8.78.6 | 12 / 8 | |
| 8.78.5 | 12 / 8 | |
| 8.78.4 | 12 / 8 | |
| 8.78.3 | 12 / 8 | |
| 8.78.2 | 12 / 8 | |
| 8.78.1 | 12 / 8 | |
| 8.78.0 | 12 / 8 | |
| 8.77.2 | 12 / 8 | |
| 8.67.1 | 9 / 9 |
v8.84.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.84.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.84.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.84.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.84.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.83.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.83.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.83.5
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.83.4
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.83.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.83.2
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v8.83.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.83.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.82.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.82.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.4
2 findingsThis version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.81.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.80.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.80.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.6
2 findingsThis version was published by a different npm account than previous versions on 2026-04-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.5
2 findingsThis version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.4
2 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.3
2 findingsThis version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.2
2 findingsThis version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.79.0
2 findingsThis version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.6
2 findingsThis version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.5
2 findingsThis version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.4
2 findingsThis version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.3
2 findingsThis version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.2
2 findingsThis version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.1
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.78.0
2 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.77.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.67.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.