@quenty/blend
Declarative UI system.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dep is same-org @quenty scope; consistent with monorepo release pattern across 365 versions. | ai | |
| dependencies | unvetted-dep:@quentystudios/jest-lua | AI (dependencies): Same-org (quentystudios) test dependency; stable pattern across this package's many versions. | ai | |
| dependencies | unvetted-dep:@quenty/rx | AI (dependencies): Same-org @quenty scoped package; consistent with the rest of the monorepo dependency pattern. | ai | |
| provenance | no-provenance | AI (provenance): Consistent across all @quenty/* monorepo packages; not a per-version concern. | ai | |
| phantom-deps | phantom-dep:@quenty/loader | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/signal | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/spring | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/string | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/promise | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/ducktype | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/steputils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package manager enforcer, not malicious; stable for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@quenty/valueobject | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/instanceutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/uiobjectutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/valuebaseutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quentystudios/jest-lua | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/nevermore-test-runner | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/acceltween | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/rx | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/brio | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/maid | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 12.35.0 | 17 / 2 | |
| 12.34.2 | 17 / 2 | |
| 12.34.1 | 17 / 2 | |
| 12.34.0 | 17 / 2 | |
| 12.33.0 | 17 / 2 | |
| 12.31.0 | 17 / 2 | |
| 12.30.0 | 16 / 2 | |
| 12.28.0 | 15 / 2 | |
| 12.27.0 | 15 / 2 | |
| 12.25.0 | 15 / 2 | |
| 12.24.0 | 15 / 2 | |
| 12.23.1 | 15 / 2 | |
| 12.23.0 | 15 / 2 | |
| 12.22.7 | 15 / 2 | |
| 12.22.6 | 15 / 2 | |
| 12.22.5 | 14 / 2 | |
| 12.22.4 | 14 / 2 | |
| 12.22.3 | 14 / 2 | |
| 12.22.2 | 14 / 2 | |
| 12.22.1 | 14 / 2 | |
| 12.22.0 | 14 / 2 | |
| 12.21.0 | 14 / 2 | |
| 12.20.0 | 14 / 2 | |
| 12.19.1 | 14 / 2 | |
| 12.19.0 | 14 / 2 |
v12.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.34.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.33.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.31.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.22.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.22.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.22.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.22.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.22.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.