@peerbit/proxy-window
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established publisher with 221 approvals; missing gitHead is a minor CI environment change, not a malicious indicator. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): peerbit is the first-party package from the same dao.xyz org; not a suspicious third-party dep. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Version diff shows no material changes; publisher has prior approvals and package is part of the active peerbit monorepo. | ai | |
| dependencies | unvetted-dep:peerbit | AI (dependencies): First-party peerbit monorepo package from same dao-xyz org; stable false positive. | ai | |
| dependencies | unvetted-dep:@peerbit/proxy | AI (dependencies): First-party peerbit monorepo package from same dao-xyz org; stable false positive. | ai | |
| provenance | no-provenance | AI (provenance): Consistent across all peerbit/* packages; not a malice indicator for this ecosystem. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 3.1.14 | 2 / 1 | |
| 3.1.13 | 2 / 1 | |
| 3.1.12 | 2 / 1 | |
| 3.1.11 | 2 / 1 | |
| 3.1.10 | 2 / 1 | |
| 3.1.9 | 2 / 1 | |
| 3.1.8 | 2 / 1 | |
| 3.1.7 | 2 / 1 | |
| 3.1.6 | 2 / 1 | |
| 3.1.5 | 2 / 1 | |
| 3.1.4 | 2 / 1 | |
| 3.1.3 | 2 / 1 | |
| 3.1.2 | 2 / 1 | |
| 3.1.1 | 2 / 1 | |
| 3.1.0 | 2 / 1 | |
| 3.0.118 | 2 / 1 | |
| 3.0.117 | 2 / 1 | |
| 3.0.115 | 1 / 1 | |
| 3.0.114 | 1 / 1 | |
| 3.0.113 | 1 / 1 | |
| 3.0.112 | 1 / 1 | |
| 3.0.110 | 1 / 1 | |
| 3.0.109 | 1 / 1 | |
| 3.0.108 | 1 / 1 | |
| 3.0.107 | 1 / 1 | |
| 3.0.106 | 1 / 1 | |
| 3.0.105 | 1 / 1 | |
| 3.0.104 | 1 / 1 | |
| 3.0.103 | 1 / 1 | |
| 3.0.102 | 1 / 1 | |
| 3.0.101 | 1 / 1 | |
| 3.0.100 | 1 / 1 | |
| 3.0.98 | 1 / 1 | |
| 3.0.97 | 1 / 1 | |
| 3.0.96 | 1 / 1 | |
| 3.0.95 | 1 / 1 | |
| 3.0.94 | 1 / 1 | |
| 3.0.93 | 1 / 1 |
v3.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.12
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.118
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.117
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: marcus.pousette.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.114
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.108
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.106
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.105
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.104
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.103
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.102
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.101
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.100
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.98
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.97
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.96
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.95
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.94
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.93
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.