@penclipai/db
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | no-description | AI (npm-metadata): Legitimate internal package; description omission is not indicative of malice. | ai | |
| provenance | no-provenance | AI (provenance): Provenance is a best-practice signal, not a security blocker for established publishers. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped monorepo package using date-based semver; inflated version and missing metadata are intentional, not spam indicators. | ai | |
| dependencies | unvetted-dep:embedded-postgres | AI (dependencies): embedded-postgres is appropriate for a database package; usage is expected and benign. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @penclipai/db; not impersonating pg, just a short edit distance coincidence. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @penclipai/db; not impersonating qs, just a short edit distance coincidence. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 2026.522.0 | 4 / 5 | |
| 2026.521.0 | 4 / 5 | |
| 2026.519.0 | 4 / 5 | |
| 2026.514.0 | 4 / 5 | |
| 2026.512.0 | 4 / 5 | |
| 2026.511.0 | 4 / 5 | |
| 2026.508.2 | 4 / 5 | |
| 2026.508.1 | 4 / 5 | |
| 2026.508.0 | 4 / 5 | |
| 2026.506.0 | 4 / 5 | |
| 2026.505.0 | 4 / 5 | |
| 2026.426.0 | 4 / 5 | |
| 2026.424.0 | 4 / 5 | |
| 2026.419.0 | 4 / 5 | |
| 2026.414.2 | 4 / 5 | |
| 2026.414.1 | 4 / 5 | |
| 2026.414.0 | 4 / 5 | |
| 2026.413.0 | 4 / 5 | |
| 2026.412.0 | 4 / 5 | |
| 2026.411.0 | 4 / 5 | |
| 2026.410.0 | 4 / 5 | |
| 2026.406.0 | 4 / 5 | |
| 2026.404.0 | 4 / 5 | |
| 2026.401.0 | 4 / 5 |
v2026.522.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.521.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.519.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.514.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.512.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.511.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.508.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.508.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.508.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.506.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.505.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2026.426.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.424.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.419.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.414.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.414.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.414.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.413.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.412.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.411.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.410.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.406.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.404.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2026.401.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.