@qlever-llc/trellis
Client-side Trellis runtime, models, and contract helpers for TypeScript applications.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-http | AI (phantom-deps): Config-file reference only; phantom-dep heuristic false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Org-scoped package with clean publisher history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-proto | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used for error class type introspection — not obfuscation, stable pattern for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads a Deno transport specifier; controlled internal use, not user-supplied input. | ai | |
| phantom-deps | phantom-dep:@nats-io/transport-node | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/resources | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-trace-base | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-trace-node | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/semantic-conventions | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used solely as ESM dynamic import shim in CJS context; not evaluating arbitrary external input. | ai | |
| phantom-deps | phantom-dep:ts-deepmerge | AI (phantom-deps): Declared but not directly imported; config-only reference, stable false positive for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.8.4 | 20 / 1 | |
| 0.8.3 | 20 / 1 | |
| 0.8.2 | 20 / 1 | |
| 0.8.0 | 20 / 1 | |
| 0.7.0 | 19 / 1 | |
| 0.6.1 | 17 / 1 | |
| 0.6.0 | 17 / 1 | |
| 0.5.1 | 10 / 1 |
v0.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.