@quenty/soundplayer
Sound playback helper
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are same-org @quenty/* packages consistent with monorepo evolution. | ai | |
| dependencies | unvetted-dep:@quenty/rx | AI (dependencies): Same-org @quenty/* dependency; consistent pattern across all NevermoreEngine packages. | ai | |
| phantom-deps | phantom-dep:@quenty/observablecollection | AI (phantom-deps): Same-org monorepo package; phantom-dep pattern is stable across all @quenty/* packages. | ai | |
| phantom-deps | phantom-dep:@quenty/transitionmodel | AI (phantom-deps): Same org Roblox/Lua package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@quenty/numberrangeutils | AI (phantom-deps): Same org Roblox/Lua package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@quenty/table | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/loader | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/signal | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/sounds | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/promise | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/rbxasset | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quentystudios/t | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): only-allow pnpm is a standard package manager enforcement pattern used consistently across this monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/servicebag | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/soundgroup | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/promisemaid | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/randomutils | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/valueobject | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/adorneeutils | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/instanceutils | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/baseobject | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/rx | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/brio | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/maid | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/blend | AI (phantom-deps): Roblox/Lua package; JS import analysis is a false positive for this ecosystem. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 7.39.0 | 22 / 0 | |
| 7.37.2 | 22 / 0 | |
| 7.37.1 | 22 / 0 | |
| 7.37.0 | 22 / 0 | |
| 7.36.0 | 22 / 0 | |
| 7.35.0 | 22 / 0 | |
| 7.34.0 | 22 / 0 | |
| 7.33.0 | 22 / 0 | |
| 7.31.0 | 21 / 0 | |
| 7.28.1 | 19 / 0 | |
| 7.27.0 | 19 / 0 | |
| 7.25.1 | 19 / 0 | |
| 7.25.0 | 19 / 0 | |
| 7.24.4 | 19 / 0 | |
| 7.24.3 | 19 / 0 | |
| 7.24.1 | 19 / 0 | |
| 7.24.0 | 19 / 0 | |
| 7.23.3 | 19 / 0 | |
| 7.23.2 | 19 / 0 | |
| 7.23.0 | 19 / 0 | |
| 7.22.0 | 19 / 0 | |
| 7.21.0 | 19 / 0 | |
| 7.20.1 | 19 / 0 | |
| 7.20.0 | 19 / 0 |
v7.39.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.37.2
2 findingsScript: npx only-allow pnpm
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.37.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.28.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.25.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.20.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.