@pulumi/pulumi
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@pulumi/query | AI (dependencies): First-party Pulumi package; stable dependency across all @pulumi/pulumi versions. | ai | |
| phantom-deps | phantom-dep:pkg-dir | AI (phantom-deps): Declared but not directly imported; consistent with build/config tooling in this package. | ai | |
| phantom-deps | phantom-dep:@types/tmp | AI (phantom-deps): @types/* packages are loaded by TypeScript convention; properly declared in dependencies. | ai | |
| phantom-deps | phantom-dep:package-directory | AI (phantom-deps): package-directory is legitimately declared and used in build/config files; expected for SDK packages. | ai | |
| phantom-deps | phantom-dep:@types/google-protobuf | AI (phantom-deps): @types/* packages are loaded by TypeScript convention; properly declared in dependencies. | ai | |
| phantom-deps | phantom-dep:@types/semver | AI (phantom-deps): @types/* packages are loaded by TypeScript convention; properly declared in dependencies. | ai | |
| phantom-deps | phantom-dep:picomatch | AI (phantom-deps): picomatch is legitimately declared and used in build/config files; expected for SDK packages. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load optional peer deps (ts-node, typescript) by name at runtime — a documented pattern for optional peer dependency loading in this SDK. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): getValue_asB64() is standard protobuf API for accessing binary fields over gRPC; not obfuscation or payload hiding. | ai |
Versions (showing 41 of 141)
| Version | Deps | Published |
|---|---|---|
| 3.147.0 | 30 / 21 | |
| 3.146.0 | 30 / 21 | |
| 3.145.0 | 30 / 21 | |
| 3.144.1 | 30 / 21 | |
| 3.144.0 | 30 / 21 | |
| 3.143.0 | 30 / 21 | |
| 3.142.0 | 30 / 21 | |
| 3.141.0 | 30 / 21 | |
| 3.140.0 | 30 / 21 | |
| 3.139.0 | 30 / 21 | |
| 3.138.0 | 30 / 21 | |
| 3.137.0 | 30 / 21 | |
| 3.136.1 | 30 / 21 | |
| 3.136.0 | 30 / 21 | |
| 3.135.1 | 30 / 21 | |
| 3.135.0 | 30 / 21 | |
| 3.134.1 | 30 / 21 | |
| 3.134.0 | 30 / 21 | |
| 3.133.0 | 30 / 21 | |
| 3.132.0 | 30 / 21 | |
| 3.131.0 | 30 / 21 | |
| 3.130.0 | 30 / 21 | |
| 3.129.0 | 30 / 21 | |
| 3.128.0 | 30 / 21 | |
| 3.127.0 | 30 / 21 | |
| 3.126.0 | 30 / 21 | |
| 3.125.0 | 30 / 21 | |
| 3.124.0 | 30 / 21 | |
| 3.123.0 | 30 / 21 | |
| 3.122.0 | 30 / 21 | |
| 3.121.0 | 30 / 21 | |
| 3.120.0 | 30 / 21 | |
| 3.119.0 | 30 / 21 | |
| 3.118.0 | 30 / 21 | |
| 3.117.0 | 30 / 21 | |
| 3.116.1 | 30 / 21 | |
| 3.116.0 | 30 / 21 | |
| 3.115.2 | 30 / 21 | |
| 3.115.1 | 30 / 21 | |
| 3.115.0 | 30 / 21 | |
| 3.114.0 | 30 / 21 |
v3.147.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.146.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.145.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.144.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.144.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.143.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.141.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.140.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.139.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.137.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.136.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.136.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.135.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.135.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.134.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.134.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.133.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.132.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.131.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.130.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.129.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.128.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.127.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.126.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.125.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.124.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.123.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.122.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.121.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.120.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.119.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.117.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.116.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.116.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.115.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.115.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.115.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.114.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.