@pagopa/monorepo-generator

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

pagopa-botpasqualedevitapp-psdiego.lagosmorales

Keywords

monorepogeneratordxpagopa

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/adapters/octokit/__tests__/index.test.cjs	AI (source-diff): Bundled vitest test file for octokit adapter; network calls are test fixtures, not malware.	ai	2026/05/21
source-diff	net-exec-file:dist/adapters/octokit/__tests__/index.test.js	AI (source-diff): Same as above — ESM variant of the same bundled test file.	ai	2026/05/21
source-diff	source-size-tripled	AI (source-diff): Size increase driven by newly included bundled test artifacts (~670KB each); not injected payload.	ai	2026/05/21

Versions (showing 14 of 14)

Version	Deps	Published
0.14.1	5 / 11	2025-12-19
0.11.2	5 / 12	2025-12-03
0.11.1	5 / 12	2025-12-03
0.11.0	5 / 12	2025-12-02
0.8.0	4 / 11	2025-10-03
0.6.0	4 / 11	2025-09-25
0.5.0	4 / 11	2025-09-23
0.4.1	3 / 11	2025-09-22
0.4.0	3 / 11	2025-09-19
0.3.1	0 / 7	2025-09-19
0.3.0	0 / 7	2025-09-18
0.2.0	0 / 7	2025-09-10
0.1.1	0 / 5	2025-09-05
0.1.0	0 / 5	2025-09-02

v0.14.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.0

3 findings

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

3 findings

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

3 findings

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.1

3 findings

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

3 findings

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.cjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/adapters/octokit/__tests__/index.test.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.