@quenty/brine
Fast and efficient extensible serialiation and deserialization library for Roblox with native instance support out of the box
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@quenty/rx | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic doesn't apply to Roblox/Lua packages. | ai | |
| phantom-deps | phantom-dep:@quenty/table | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic doesn't apply to Roblox/Lua packages. | ai | |
| phantom-deps | phantom-dep:@quenty/steputils | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic doesn't apply to Roblox/Lua packages. | ai | |
| phantom-deps | phantom-dep:@quenty/baseobject | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic doesn't apply to Roblox/Lua packages. | ai | |
| phantom-deps | phantom-dep:@quenty/instanceutils | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic doesn't apply to Roblox/Lua packages. | ai | |
| phantom-deps | phantom-dep:@quenty/memoize | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/viewport | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/servicebag | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package manager enforcement script; benign and consistent across all @quenty packages. | ai | |
| phantom-deps | phantom-dep:@quenty/selectionutils | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quentystudios/jest-lua | AI (phantom-deps): Referenced in config files per finding; stable false positive for this Lua-based package. | ai | |
| phantom-deps | phantom-dep:@quenty/nevermore-test-runner | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/bufferencoder | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/maid | AI (phantom-deps): Roblox/Lua monorepo; deps may be consumed by Lua runtime loader, not JS imports. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@quenty/loader | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/string | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai | |
| phantom-deps | phantom-dep:@quenty/symbol | AI (phantom-deps): Same monorepo pattern; Lua runtime consumption, not JS imports. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.3.0 | 16 / 0 | |
| 1.2.0 | 16 / 0 | |
| 1.1.2 | 11 / 0 | |
| 1.1.1 | 11 / 0 | |
| 1.1.0 | 11 / 0 |
v1.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findingsScript: npx only-allow pnpm
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
2 findingsScript: npx only-allow pnpm
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.