@pnpm/core — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

pnpmuserzkochan

Keywords

pnpmpnpm10dependenciesdependency managerefficientfasthardlinksinstallinstallerlinklockfilemodulesnpmpackage managerpackage.jsonpackagesprunerapidremoveshrinkwrapsymlinksuninstall

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@pnpm/deps.graph-sequencer	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:p-filter	AI (phantom-deps): Monorepo package; phantom-deps are expected for transitive/config-referenced deps.	ai	2026/05/07
phantom-deps	phantom-dep:run-groups	AI (phantom-deps): Monorepo package; phantom-deps are expected for transitive/config-referenced deps.	ai	2026/05/07
phantom-deps	phantom-dep:is-inner-link	AI (phantom-deps): Monorepo package; phantom-deps are expected for transitive/config-referenced deps.	ai	2026/05/07
phantom-deps	phantom-dep:normalize-path	AI (phantom-deps): Monorepo package; phantom-deps are expected for transitive/config-referenced deps.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/crypto.hash	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/remove-bins	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/dependency-path	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/lockfile.pruner	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/lockfile.walker	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/npm-package-arg	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/read-modules-dir	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
phantom-deps	phantom-dep:@pnpm/package-requester	AI (phantom-deps): Same-org scoped deps in monorepo; phantom-deps expected for transitive refs.	ai	2026/05/07
typosquat	typosquat.levenshtein:cors	AI (typosquat): @pnpm/core is the legitimate pnpm package manager core, not a typosquat of cors.	ai	2026/05/01

Versions (showing 24 of 24)

Version	Deps	Published
1016.3.0	63 / 35	2026-04-14
1016.2.0	63 / 35	2026-03-24
1016.1.12	63 / 35	2026-03-11
1016.1.11	63 / 35	2026-03-09
1016.1.10	63 / 35	2026-03-07
1016.1.9	63 / 35	2026-02-23
1016.1.8	63 / 35	2026-02-17
1016.1.7	63 / 35	2026-02-17
1016.1.6	63 / 35	2026-02-11
1016.1.5	63 / 35	2026-02-09
1016.1.4	63 / 35	2026-02-07
1016.1.3	63 / 35	2026-01-26
1016.1.2	63 / 35	2026-01-19
1016.1.1	63 / 35	2026-01-09
1016.1.0	63 / 35	2025-12-30
1016.0.0	63 / 35	2025-12-23
1015.0.1	63 / 35	2025-12-19
1015.0.0	63 / 35	2025-12-15
1014.0.0	63 / 35	2025-12-08
1013.0.1	62 / 35	2025-12-02
1013.0.0	60 / 35	2025-11-27
1012.2.1	60 / 35	2025-11-20
1012.2.0	60 / 35	2025-11-12
1012.1.0	60 / 35	2025-11-09

v1016.1.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1016.1.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1016.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1015.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1015.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1014.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1013.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1013.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1012.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1012.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1012.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.