@raystack/chronicle
Config-driven documentation framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): Fires in a unit test asserting correct base64 round-trip of logo data; not a malicious payload pattern. | ai | |
| dependencies | unvetted-dep:use-analytics | AI (dependencies): Legitimate analytics hook library; expected dependency for a docs framework with analytics support. | ai | |
| dependencies | unvetted-dep:@analytics/google-analytics | AI (dependencies): Official Google Analytics plugin for the analytics library; well-known, no malware indicators. | ai | |
| phantom-deps | phantom-dep:use-analytics | AI (phantom-deps): Config-file reference pattern; stable for this package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Reference is in a unit test asserting safePath() blocks traversal to /etc/passwd — not actual credential access. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): lodash-es is a canonical ESM replacement for lodash; swap is consistent with the package's ESM-only module type. | ai | |
| dependencies | unvetted-dep:satori | AI (dependencies): Satori is Vercel's OG image generation library; legitimate and widely used. | ai | |
| dependencies | unvetted-dep:nitro | AI (dependencies): Nitro is the Nuxt/UnJS server engine; legitimate well-known package, stable false positive for this doc framework. | ai | |
| provenance | no-provenance | AI (provenance): Org-published package with consistent release history; lack of Sigstore attestation is a process gap, not a security signal. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): zod is a declared runtime dep used in config files; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:remark-attr | AI (phantom-deps): Used via config/plugin convention in fumadocs/remark pipeline, not direct import. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI build tool passing process.env to child process is standard; no secret exfiltration risk in this context. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): react-dom is a peer/runtime dep for a Next.js framework; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/unist | AI (phantom-deps): Type-only package loaded by TypeScript toolchain convention. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash used via config/templates in this framework; stable false positive. | ai | |
| phantom-deps | phantom-dep:h3 | AI (phantom-deps): h3 is a transitive/config-level dep of nitro in this docs framework; not a real phantom. | ai | |
| phantom-deps | phantom-dep:remark-frontmatter | AI (phantom-deps): Remark plugin used via config pipeline; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@codemirror/view | AI (phantom-deps): CodeMirror view likely re-exported or used via peer; stable false positive. | ai | |
| phantom-deps | phantom-dep:@shikijs/rehype | AI (phantom-deps): Rehype plugin used via config; stable false positive for this documentation framework. | ai | |
| phantom-deps | phantom-dep:remark-gfm | AI (phantom-deps): Remark plugins declared for config-driven MDX pipeline; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Used via config/build tooling in a documentation framework; not a direct import pattern. | ai | |
| phantom-deps | phantom-dep:std-env | AI (phantom-deps): Consumed transitively or via config in Nitro/Vite context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:remark-mdx-frontmatter | AI (phantom-deps): Remark plugin used via config pipeline; stable false positive for this package. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.12.4 | 52 / 14 | |
| 0.12.3 | 52 / 14 | |
| 0.12.2 | 52 / 14 | |
| 0.12.1 | 50 / 14 | |
| 0.12.0 | 50 / 14 | |
| 0.11.3 | 50 / 14 | |
| 0.11.2 | 50 / 14 | |
| 0.11.1 | 50 / 14 | |
| 0.11.0 | 50 / 14 | |
| 0.10.4 | 45 / 14 | |
| 0.10.3 | 45 / 14 | |
| 0.10.2 | 45 / 14 | |
| 0.10.1 | 44 / 14 | |
| 0.10.0 | 44 / 14 | |
| 0.9.0 | 43 / 14 | |
| 0.8.0 | 44 / 14 | |
| 0.7.4 | 44 / 14 | |
| 0.7.3 | 43 / 14 | |
| 0.7.2 | 43 / 14 | |
| 0.7.1 | 43 / 14 | |
| 0.7.0 | 43 / 10 | |
| 0.6.1 | 43 / 10 | |
| 0.6.0 | 43 / 10 | |
| 0.5.4 | 42 / 10 | |
| 0.5.3 | 42 / 10 | |
| 0.5.2 | 37 / 10 | |
| 0.5.1 | 37 / 10 | |
| 0.5.0 | 37 / 10 | |
| 0.4.0 | 36 / 10 | |
| 0.3.0 | 27 / 10 | |
| 0.2.0 | 27 / 10 | |
| 0.1.3 | 26 / 11 | |
| 0.1.2 | 24 / 11 |
v0.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
2 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | 12 | test('returns null for path traversal', () => { > 13 | expect(safePath(base, '/../etc/passwd')).toBeNull(); 14 | }); 15 |
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | 12 | test('returns null for path traversal', () => { > 13 | expect(safePath(base, '/../etc/passwd')).toBeNull(); 14 | }); 15 |
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
2 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | 12 | test('returns null for path traversal', () => { > 13 | expect(safePath(base, '/../etc/passwd')).toBeNull(); 14 | }); 15 |
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
2 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 11 | 12 | test('returns null for path traversal', () => { > 13 | expect(safePath(base, '/../etc/passwd')).toBeNull(); 14 | }); 15 |
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
5 findingsSpreading entire process.env into an object — may capture all secrets 28 | stdio: 'inherit', 29 | cwd: scaffoldPath, > 30 | env: { 31 | ...process.env, 32 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 29 | stdio: 'inherit', 30 | cwd: scaffoldPath, > 31 | env: { 32 | ...process.env, 33 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 24 | } 25 | > 26 | const env = { 27 | ...process.env, 28 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 29 | stdio: 'inherit', 30 | cwd: scaffoldPath, > 31 | env: { 32 | ...process.env, 33 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
5 findingsSpreading entire process.env into an object — may capture all secrets 28 | stdio: 'inherit', 29 | cwd: scaffoldPath, > 30 | env: { 31 | ...process.env, 32 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 29 | stdio: 'inherit', 30 | cwd: scaffoldPath, > 31 | env: { 32 | ...process.env, 33 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 24 | } 25 | > 26 | const env = { 27 | ...process.env, 28 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Spreading entire process.env into an object — may capture all secrets 29 | stdio: 'inherit', 30 | cwd: scaffoldPath, > 31 | env: { 32 | ...process.env, 33 | CHRONICLE_PROJECT_ROOT: process.cwd(),
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
5 findingsSpreading entire process.env into an object — may capture all secrets 22 | stdio: 'inherit', 23 | cwd: PACKAGE_ROOT, > 24 | env: { 25 | ...process.env, 26 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 23 | stdio: 'inherit', 24 | cwd: PACKAGE_ROOT, > 25 | env: { 26 | ...process.env, 27 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 17 | loadCLIConfig(contentDir) 18 | > 19 | const env = { 20 | ...process.env, 21 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 23 | stdio: 'inherit', 24 | cwd: PACKAGE_ROOT, > 25 | env: { 26 | ...process.env, 27 | CHRONICLE_CONTENT_DIR: contentDir,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
5 findingsSpreading entire process.env into an object — may capture all secrets 22 | stdio: 'inherit', 23 | cwd: PACKAGE_ROOT, > 24 | env: { 25 | ...process.env, 26 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 23 | stdio: 'inherit', 24 | cwd: PACKAGE_ROOT, > 25 | env: { 26 | ...process.env, 27 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 17 | loadCLIConfig(contentDir) 18 | > 19 | const env = { 20 | ...process.env, 21 | CHRONICLE_CONTENT_DIR: contentDir,
Spreading entire process.env into an object — may capture all secrets 23 | stdio: 'inherit', 24 | cwd: PACKAGE_ROOT, > 25 | env: { 26 | ...process.env, 27 | CHRONICLE_CONTENT_DIR: contentDir,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.