← Home

@proofkit/webviewer

npm Repository Homepage

A utility to fetch data from FileMaker webviewer

8
Versions
ISC
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

eluce3

Keywords

filemakerproofgeistproofshwebviewerfmtanstack-intent

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Consistent with CI/CD pipeline change; SLSA attestation provides stronger commit linkage than gitHead field. ai
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publishing is confirmed by SLSA provenance attestation; consistent with legitimate automation migration. ai
provenance no-provenance AI (provenance): Established proofgeist org package; provenance attestation not yet enabled but no other risk signals. ai

Versions (showing 8 of 8)

Version Deps Published
3.0.8 1 / 12
3.0.7 1 / 12
3.0.6 1 / 10
3.0.5 1 / 10
3.0.4 1 / 9
3.0.3 1 / 9
3.0.1 1 / 9
3.0.0 1 / 10

v3.0.8

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: eluce3 → GitHub Actions (on 2026-05-12) provenance

This version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.7

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: eluce3 → GitHub Actions (on 2026-05-05) provenance

This version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.5

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eluce3.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eluce3.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.