@powerhousedao/analytics-engine-pg
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/index.js | AI (source-diff): Bun-bundled output of knex + drivers; standard bundler boilerplate visible in sample. | ai | |
| source-diff | net-exec-file:build/index.js | AI (source-diff): Database client bundle naturally contains net calls and dynamic requires for driver loading. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from bundling knex and all optional DB drivers into single file. | ai | |
| phantom-deps | phantom-dep:knex | AI (phantom-deps): Bundled into build/index.js; not imported at source level. | ai | |
| phantom-deps | phantom-dep:@powerhousedao/analytics-engine-core | AI (phantom-deps): Bundled into build/index.js; same-org dep. | ai | |
| phantom-deps | phantom-dep:@powerhousedao/analytics-engine-knex | AI (phantom-deps): Bundled into build/index.js; same-org dep. | ai | |
| phantom-deps | phantom-dep:oracledb | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:pg | AI (phantom-deps): Knex dynamically requires DB drivers; pg is the primary driver for this package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Likely used in bundled output; stable for this package. | ai | |
| phantom-deps | phantom-dep:pg-query-stream | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:luxon | AI (phantom-deps): Likely used transitively or in bundled output; stable for this package. | ai | |
| phantom-deps | phantom-dep:mysql | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:mysql2 | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:sqlite3 | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:tedious | AI (phantom-deps): Knex peer dependency; dynamically loaded at runtime. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 6.1.0 | 4 / 6 | |
| 6.0.0 | 4 / 6 | |
| 0.6.4 | 13 / 4 | |
| 0.6.3 | 13 / 4 | |
| 0.6.2 | 13 / 4 | |
| 0.6.1 | 6 / 4 |
v6.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.