@openrewrite/rewrite — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

ziekaknutwannhedennatedannersjunglingmccartneyjkschneider

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Large active project with frequent releases; occasional gitHead gaps are a CI config issue, not a supply-chain indicator.	ai	2026/05/24
phantom-deps	phantom-dep:dedent	AI (phantom-deps): dedent is declared in dependencies and likely used in dist output; phantom-dep heuristic false positive.	ai	2026/05/24
publish-pattern	new-deps-added	AI (publish-pattern): commander/typescript/tmp-promise are established packages added for the RPC server feature; not suspicious for this package.	ai	2026/05/24
provenance	publisher-changed	AI (provenance): Transition from individual (zieka) to GitHub Actions CI publisher is expected for a maturing project; SLSA attestation confirms integrity.	ai	2026/05/23
semgrep	semgrep:env-spread	AI (semgrep): Spreading process.env into child_process spawn options is standard; not exfiltration.	ai	2026/04/29
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a type-only dep used at compile time; not imported at runtime.	ai	2026/04/29
semgrep	semgrep:dynamic-require	AI (semgrep): Resolves optional prettier peer dep by path; documented plugin-loader pattern.	ai	2026/04/29

Versions (showing 86 of 86)

Version	Deps	Published
8.84.4	12 / 9	2026-06-07
8.84.3	12 / 9	2026-06-06
8.84.2	12 / 9	2026-06-05
8.84.1	12 / 9	2026-06-05
8.84.0	12 / 9	2026-06-03
8.83.7	12 / 9	2026-06-02
8.83.6	12 / 9	2026-06-02
8.83.5	12 / 9	2026-06-01
8.83.4	12 / 9	2026-05-28
8.83.3	12 / 9	2026-05-27
8.83.2	12 / 9	2026-05-25
8.83.1	12 / 9	2026-05-22
8.83.0	12 / 9	2026-05-21
8.82.1	12 / 8	2026-05-18
8.82.0	12 / 8	2026-05-17
8.81.17	12 / 8	2026-05-14
8.81.16	12 / 8	2026-05-13
8.81.15	12 / 8	2026-05-12
8.81.14	12 / 8	2026-05-12
8.81.13	12 / 8	2026-05-11
8.81.12	12 / 8	2026-05-10
8.81.11	12 / 8	2026-05-10
8.81.10	12 / 8	2026-05-09
8.81.9	12 / 8	2026-05-09
8.81.8	12 / 8	2026-05-08
8.81.7	12 / 8	2026-05-07
8.81.6	12 / 8	2026-05-06
8.81.5	12 / 8	2026-05-06
8.81.4	12 / 8	2026-05-06
8.81.3	12 / 8	2026-05-02
8.81.2	12 / 8	2026-05-02
8.81.1	12 / 8	2026-04-28
8.81.0	12 / 8	2026-04-27
8.80.1	12 / 8	2026-04-23
8.80.0	12 / 8	2026-04-21
8.79.6	12 / 8	2026-04-19
8.79.5	12 / 8	2026-04-16
8.79.4	12 / 8	2026-04-14
8.79.3	12 / 8	2026-04-14
8.79.2	12 / 8	2026-04-10
8.79.1	12 / 8	2026-04-08
8.79.0	12 / 8	2026-04-08
8.78.6	12 / 8	2026-04-07
8.78.5	12 / 8	2026-04-06
8.78.4	12 / 8	2026-04-03
8.78.3	12 / 8	2026-04-02
8.78.2	12 / 8	2026-04-02
8.78.1	12 / 8	2026-04-01
8.78.0	12 / 8	2026-03-31
8.77.2	12 / 8	2026-03-30
8.67.1	9 / 9	2025-11-28
8.67.0	9 / 9	2025-11-20
8.66.4	9 / 9	2025-11-18
8.66.3	9 / 9	2025-11-14
8.66.2	9 / 9	2025-11-14
8.66.1	9 / 7	2025-11-04
8.66.0	9 / 7	2025-11-03
8.65.0	10 / 7	2025-10-26
8.64.0	10 / 7	2025-10-22
8.63.4	10 / 7	2025-10-17
8.63.3	10 / 7	2025-10-14
8.63.2	10 / 7	2025-10-14
8.63.1	10 / 7	2025-10-13
8.63.0	10 / 7	2025-10-10
8.62.6	10 / 7	2025-10-01
8.62.5	10 / 7	2025-10-01
8.62.4	9 / 6	2025-09-23
8.62.3	9 / 6	2025-09-19
8.62.2	9 / 6	2025-09-18
8.62.1	9 / 6	2025-09-15
8.61.1	9 / 7	2025-08-27
8.61.0	9 / 7	2025-08-27
8.60.2	9 / 6	2025-08-21
8.60.1	9 / 6	2025-08-16
8.60.0	9 / 6	2025-08-12
8.59.1	9 / 6	2025-07-23
8.59.0	9 / 6	2025-07-23
8.58.0	9 / 6	2025-07-15
8.57.0	9 / 6	2025-07-09
8.55.3	6 / 6	2025-06-11
8.55.2	6 / 6	2025-06-10
8.55.1	6 / 6	2025-06-08
8.55.0	6 / 6	2025-06-06
8.54.0	6 / 5	2025-05-28
8.53.1	6 / 5	2025-05-23
8.53.0	6 / 5	2025-05-19

v8.84.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.84.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.84.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.84.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.84.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.83.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.83.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.83.5

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v8.83.4

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v8.83.3

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v8.83.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v8.83.1

2 findings

HIGH Publisher changed: zieka → GitHub Actions (on 2026-05-22) provenance

This version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.83.0

2 findings

HIGH Publisher changed: zieka → mccartney (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.