@quenty/tie
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@quenty/nevermore-test-runner | AI (phantom-deps): Same-org Roblox/Nevermore package; phantom-dep pattern is consistent across all @quenty/* packages. | ai | |
| phantom-deps | phantom-dep:@quenty/collectionserviceutils | AI (phantom-deps): Same-org Roblox/Nevermore package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@quenty/rx | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/brio | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/maid | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/enums | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/table | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/tuple | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/loader | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/string | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/symbol | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): npx only-allow pnpm is a standard package-manager enforcement script used across the NevermoreEngine monorepo. | ai | |
| phantom-deps | phantom-dep:@quenty/baseobject | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/servicebag | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/statestack | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/valueobject | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/instanceutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/attributeutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/valuebaseutils | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quentystudios/jest-lua | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| phantom-deps | phantom-dep:@quenty/rxsignal | AI (phantom-deps): Lua/Roblox package; JS import analysis doesn't apply to this ecosystem. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): @quenty/tie is a scoped Roblox/Lua package in the NevermoreEngine monorepo; no impersonation of vite. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 10.38.0 | 20 / 2 | |
| 10.37.0 | 20 / 2 | |
| 10.29.0 | 17 / 2 | |
| 10.28.0 | 17 / 2 | |
| 10.27.1 | 17 / 2 | |
| 10.27.0 | 17 / 2 | |
| 10.26.7 | 17 / 2 | |
| 10.26.6 | 17 / 2 | |
| 10.26.5 | 16 / 2 | |
| 10.26.4 | 16 / 2 | |
| 10.26.3 | 16 / 2 | |
| 10.26.2 | 16 / 2 | |
| 10.26.1 | 16 / 2 | |
| 10.26.0 | 16 / 2 | |
| 10.25.1 | 16 / 2 | |
| 10.25.0 | 16 / 2 | |
| 10.24.0 | 16 / 2 | |
| 10.23.0 | 16 / 2 | |
| 10.22.0 | 16 / 2 | |
| 10.21.1 | 16 / 2 | |
| 10.21.0 | 16 / 2 |
v10.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.25.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.