@pagopa/dx-mcpserver
An MCP server that supports developers using DX tools.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher is GitHub Actions with SLSA provenance; CI/CD publishing is the documented pattern for @pagopa packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files correspond to SDK migration; no injected/obfuscated payloads indicated. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by migration from fastmcp to @modelcontextprotocol/sdk with new source files. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): pino-pretty is a declared runtime dep used in logging config; phantom-dep heuristic fires as false positive. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): axios is a declared runtime dependency in package.json; phantom-dep firing is a false positive for this package. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance via Sigstore is a strong supply chain integrity signal; stable for this package. | ai | |
| phantom-deps | phantom-dep:@octokit/rest | AI (phantom-deps): @octokit/rest is a declared runtime dependency in package.json; phantom-dep is a false positive here. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 0.2.4 | 10 / 8 | |
| 0.2.3 | 10 / 8 | |
| 0.2.2 | 10 / 8 | |
| 0.2.1 | 10 / 8 | |
| 0.2.0 | 10 / 8 | |
| 0.1.6 | 10 / 8 | |
| 0.1.5 | 10 / 8 | |
| 0.1.4 | 10 / 8 | |
| 0.1.3 | 10 / 8 | |
| 0.1.2 | 8 / 8 | |
| 0.1.1 | 8 / 8 | |
| 0.0.12 | 8 / 8 | |
| 0.0.11 | 8 / 8 | |
| 0.0.10 | 8 / 8 | |
| 0.0.9 | 8 / 8 | |
| 0.0.8 | 8 / 8 | |
| 0.0.7 | 8 / 8 | |
| 0.0.6 | 8 / 8 | |
| 0.0.5 | 8 / 8 | |
| 0.0.4 | 8 / 8 | |
| 0.0.3 | 8 / 8 | |
| 0.0.2 | 8 / 7 | |
| 0.0.1 | 8 / 6 |
v0.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.