@pnpm/releasing.commands
Commands for deploy, pack, and publish
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@pnpm/exec.pnpm-cli-runner | AI (dependencies): Internal @pnpm monorepo package; consistent with pnpm's scoped dependency pattern. | ai | |
| provenance | no-provenance | AI (provenance): pnpm monorepo packages consistently publish without Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@pnpm/network.web-auth | AI (dependencies): Sibling pnpm monorepo package; coordinated versioning is expected. | ai | |
| dependencies | unvetted-dep:@pnpm/fs.is-empty-dir-or-nothing | AI (dependencies): Sibling pnpm monorepo package; coordinated versioning is expected. | ai | |
| dependencies | unvetted-dep:@pnpm/releasing.exportable-manifest | AI (dependencies): Sibling pnpm monorepo package; coordinated versioning is expected. | ai | |
| phantom-deps | phantom-dep:@pnpm/engine.runtime.commands | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic is a stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/normalize-path | AI (phantom-deps): Type-only declaration; not directly imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@pnpm/resolving.resolver-base | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic is a stable false positive. | ai | |
| phantom-deps | phantom-dep:@pnpm/catalogs.types | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic is a stable false positive for pnpm internal packages. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 1100.4.2 | 53 / 27 | |
| 1100.4.1 | 53 / 27 | |
| 1100.4.0 | 53 / 27 | |
| 1100.3.1 | 53 / 27 | |
| 1100.3.0 | 53 / 27 | |
| 1100.2.18 | 52 / 27 | |
| 1100.2.17 | 52 / 27 | |
| 1100.2.16 | 52 / 27 | |
| 1100.2.15 | 52 / 27 | |
| 1100.2.14 | 52 / 27 | |
| 1100.2.13 | 52 / 27 | |
| 1100.2.12 | 52 / 27 | |
| 1100.2.11 | 52 / 27 | |
| 1100.2.10 | 52 / 27 | |
| 1100.2.9 | 52 / 27 | |
| 1100.2.8 | 52 / 26 | |
| 1100.2.7 | 52 / 26 | |
| 1100.2.6 | 52 / 26 | |
| 1100.2.5 | 52 / 26 | |
| 1100.2.4 | 52 / 26 | |
| 1100.2.3 | 52 / 26 | |
| 1100.2.2 | 52 / 26 | |
| 1100.2.1 | 52 / 26 | |
| 1100.2.0 | 52 / 26 | |
| 1100.1.0 | 52 / 26 | |
| 1100.0.2 | 49 / 26 | |
| 1100.0.1 | 49 / 26 | |
| 1100.0.0 | 49 / 26 | |
| 1000.0.0 | 46 / 26 |
v1100.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1100.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1100.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1000.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.