@quenty/inputkeymaputils
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@quentystudios/jest-lua | AI (npm-metadata): Test/dev dependency from same org; git URL is a known pattern for this publisher's test tooling. | ai | |
| provenance | no-provenance | AI (provenance): Large Roblox monorepo; provenance not used across the entire @quenty scope. | ai | |
| dependencies | unvetted-dep:@quenty/rx | AI (dependencies): Same-org monorepo dependency; stable pattern across all Quenty/NevermoreEngine packages. | ai | |
| dependencies | unvetted-dep:@quentystudios/jest-lua | AI (dependencies): Same-org test dependency used across NevermoreEngine packages; not a runtime risk. | ai | |
| phantom-deps | phantom-dep:@quenty/nevermore-test-runner | AI (phantom-deps): Same-org test runner; phantom-dep pattern is stable for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@quenty/loader | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/signal | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/string | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/ducktype | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/enumutils | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/inputmode | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/baseobject | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package manager enforcement script, not malicious. Stable for this monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/statestack | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/valueobject | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/pseudolocalize | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/valuebaseutils | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quentystudios/jest-lua | AI (phantom-deps): Lua test runner; referenced in config files, not JS imports. Expected for this monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/clienttranslator | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/observablecollection | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/servicebag | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/rx | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/brio | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/maid | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/table | AI (phantom-deps): Lua package; not imported as JS module. Expected pattern for this Roblox/Lua monorepo. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 14.41.2 | 20 / 0 | |
| 14.41.0 | 20 / 0 | |
| 14.40.0 | 19 / 0 | |
| 14.38.0 | 19 / 0 | |
| 14.31.1 | 17 / 0 | |
| 14.29.1 | 17 / 0 | |
| 14.28.0 | 17 / 0 | |
| 14.25.0 | 17 / 0 |
v14.41.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.40.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.38.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.31.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.29.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.