← Home

@revealui/mcp

npm Repository Homepage

Model Context Protocol integrations for RevealUI — adapter framework, hypervisor, and MCP contracts

7
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

revealui-org

Keywords

revealuimcpmodel-context-protocolaitool-discoveryservers

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:dotenv AI (phantom-deps): dotenv is declared in package.json dependencies and used in config files; false positive common in configuration-heavy packages. ai
provenance no-provenance AI (provenance): Lack of Sigstore provenance is common (~88% of npm packages) and not a disqualifier for this package's risk profile. ai
typosquat typosquat.levenshtein:yup AI (typosquat): Scoped @revealui package with clear identity, GitHub repo, and commercial homepage. No plausible impersonation of 'yup'; edit distance of 2 is coincidental. ai
dependencies unvetted-dep:@revealui/core AI (dependencies): First-party monorepo dependency from the same @revealui org; not a third-party risk. ai
dependencies unvetted-dep:@revealui/config AI (dependencies): First-party monorepo dependency from the same @revealui org; not a third-party risk. ai
dependencies unvetted-dep:@revealui/contracts AI (dependencies): First-party monorepo dependency from the same @revealui org; not a third-party risk. ai

Versions (showing 7 of 7)

Version Deps Published
0.1.11 6 / 4
0.1.10 6 / 4
0.1.8 5 / 4
0.1.7 5 / 4
0.1.5 5 / 4
0.1.3 5 / 4
0.1.1 5 / 4

v0.1.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.