@polka-codes/cli-shared

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

xlc

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from human publisher to GitHub Actions CI/CD is expected for automated publishing pipelines; SLSA attestation confirms integrity.	ai	2026/05/30
phantom-deps	phantom-dep:@polka-codes/workflow	AI (phantom-deps): Shared library; same-org dependencies used via config/re-export.	ai	2026/05/28
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Declared dependency used for utilities; stable false positive.	ai	2026/05/28
phantom-deps	phantom-dep:@vscode/ripgrep	AI (phantom-deps): Declared dependency used for search functionality; stable false positive.	ai	2026/05/28
phantom-deps	phantom-dep:ignore	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:lodash-es	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:@inquirer/prompts	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:@polka-codes/core	AI (phantom-deps): Declared dependency; same-org scope, used via config/indirect imports.	ai	2026/05/18
phantom-deps	phantom-dep:mime-types	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:zod	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:yaml	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:chalk	AI (phantom-deps): Declared dependency; used via config/indirect imports in CLI shared library.	ai	2026/05/18
phantom-deps	phantom-dep:@ai-sdk/provider-utils	AI (phantom-deps): @ai-sdk/provider-utils is a declared runtime dep used transitively; phantom-dep heuristic false positive for this package.	ai	2026/05/03

Versions (showing 51 of 145)

View all versions

Version	Deps	Published
0.10.32	13 / 3	2026-06-01
0.10.31	13 / 3	2026-05-12
0.10.30	13 / 3	2026-05-12
0.10.29	13 / 3	2026-05-04
0.10.28	13 / 3	2026-05-03
0.10.27	13 / 3	2026-04-30
0.10.26	13 / 3	2026-04-10
0.10.25	13 / 3	2026-04-07
0.10.24	13 / 3	2026-04-07
0.10.23	13 / 3	2026-04-07
0.10.22	13 / 3	2026-04-07
0.10.21	13 / 3	2026-04-07
0.10.20	13 / 3	2026-04-07
0.10.19	13 / 3	2026-04-06
0.10.18	13 / 3	2026-04-06
0.10.17	13 / 3	2026-04-02
0.10.16	13 / 3	2026-04-02
0.10.13	13 / 3	2026-04-01
0.10.11	13 / 3	2026-04-01
0.10.10	13 / 3	2026-04-01
0.10.9	13 / 3	2026-04-01
0.10.8	13 / 3	2026-04-01
0.10.6	13 / 3	2026-04-01
0.10.5	13 / 3	2026-03-30
0.10.3	13 / 3	2026-03-23
0.10.1	13 / 3	2026-03-11
0.9.102	13 / 3	2026-03-05
0.9.101	13 / 3	2026-02-22
0.9.100	13 / 3	2026-02-09
0.9.99	13 / 3	2026-01-29
0.9.98	13 / 3	2026-01-28
0.9.97	13 / 3	2026-01-28
0.9.96	13 / 3	2026-01-28
0.9.95	13 / 3	2026-01-28
0.9.94	13 / 3	2026-01-28
0.9.93	13 / 3	2026-01-28
0.9.92	13 / 3	2026-01-27
0.9.91	13 / 2	2026-01-23
0.9.90	13 / 2	2026-01-23
0.9.89	13 / 3	2026-01-18
0.9.88	12 / 2	2026-01-14
0.9.86	12 / 2	2026-01-08
0.9.85	12 / 2	2026-01-06
0.9.84	12 / 2	2026-01-05
0.9.83	12 / 2	2026-01-05
0.9.82	12 / 2	2026-01-04
0.9.81	12 / 2	2025-12-19
0.9.80	12 / 2	2025-12-17
0.9.79	12 / 2	2025-12-16
0.9.78	12 / 2	2025-12-11
0.9.77	12 / 2	2025-12-10

v0.10.32

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.31

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.30

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.28

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.27

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.26

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-10) provenance

This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.25

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.24

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.23

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.22

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.21

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.20

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-07) provenance

This version was published by a different npm account than previous versions on 2026-04-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.19

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-06) provenance

This version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.18

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-06) provenance

This version was published by a different npm account than previous versions on 2026-04-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.17

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-02) provenance

This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.16

2 findings

HIGH Publisher changed: xlc → GitHub Actions (on 2026-04-02) provenance

This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.