@powerlines/plugin-cloudflare
A Powerlines plugin that provides integration with Cloudflare services.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is a same-org @powerlines package; low risk of supply-chain injection in this context. | ai | |
| phantom-deps | phantom-dep:powerlines | AI (phantom-deps): Plugin architecture; powerlines is the framework referenced in config, not direct code imports. | ai | |
| phantom-deps | phantom-dep:@powerlines/plugin-pulumi | AI (phantom-deps): Same-org plugin dependency; referenced in config files as part of plugin composition pattern. | ai | |
| phantom-deps | phantom-dep:@stryke/path | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@alloy-js/core | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@stryke/helpers | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:defu | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@stryke/hash | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@pulumi/cloudflare | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@stryke/type-checks | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@alloy-js/typescript | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@stryke/string-format | AI (phantom-deps): Config-referenced dependency; stable pattern for this monorepo package. | ai | |
| dependencies | unvetted-dep:@pulumi/cloudflare | AI (dependencies): @pulumi/cloudflare is the official Pulumi Cloudflare provider; expected dependency for a Cloudflare integration plugin. | ai | |
| dependencies | unvetted-dep:@powerlines/plugin-env | AI (dependencies): First-party dependency from the same Storm Software/Powerlines organization; expected for this plugin ecosystem. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): First-party config tooling referenced in config files only; not a security concern. | ai | |
| phantom-deps | phantom-dep:@pulumi/pulumi | AI (phantom-deps): Referenced in config files only; minor packaging hygiene issue, not a security concern for this Pulumi-based plugin. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 0.6.173 | 17 / 7 | |
| 0.6.155 | 17 / 7 | |
| 0.6.154 | 17 / 7 | |
| 0.6.73 | 16 / 7 | |
| 0.6.44 | 16 / 7 | |
| 0.6.43 | 16 / 7 | |
| 0.6.38 | 16 / 7 | |
| 0.6.36 | 16 / 7 | |
| 0.6.34 | 16 / 7 | |
| 0.6.32 | 16 / 7 | |
| 0.6.29 | 16 / 7 | |
| 0.6.23 | 16 / 7 | |
| 0.6.20 | 16 / 7 | |
| 0.6.19 | 16 / 7 | |
| 0.6.14 | 16 / 7 | |
| 0.6.13 | 16 / 7 | |
| 0.6.10 | 16 / 7 | |
| 0.6.6 | 16 / 7 | |
| 0.6.5 | 16 / 7 | |
| 0.6.2 | 16 / 7 | |
| 0.6.0 | 16 / 7 | |
| 0.5.18 | 17 / 5 | |
| 0.5.14 | 17 / 5 | |
| 0.5.9 | 17 / 5 | |
| 0.5.0 | 17 / 5 | |
| 0.3.3 | 14 / 4 | |
| 0.2.28 | 14 / 4 | |
| 0.2.26 | 14 / 4 | |
| 0.2.25 | 14 / 4 | |
| 0.2.15 | 11 / 4 | |
| 0.2.0 | 11 / 4 |
v0.6.173
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.155
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.154
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.6.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.