@rocket.chat/fuselage
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@rocket.chat/fuselage-tokens | AI (dependencies): Same-org monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@rocket.chat/memo | AI (dependencies): Same-org monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@rocket.chat/css-supports | AI (dependencies): Same-org monorepo dependency; stable pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@rocket.chat/fuselage-tokens | AI (phantom-deps): Same-org dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:invariant | AI (phantom-deps): invariant is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@rocket.chat/styled | AI (phantom-deps): Same-org internal dep; declared in package.json as a runtime dependency, phantom detection is a false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Long-established Rocket.Chat package; lack of provenance is consistent across its 1100+ version history. | ai | |
| phantom-deps | phantom-dep:@rocket.chat/css-supports | AI (phantom-deps): Same-org dependency; likely used transitively within the monorepo build rather than directly imported. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 0.78.0 | 8 / 62 | |
| 0.77.0 | 8 / 62 | |
| 0.76.0 | 9 / 62 | |
| 0.75.0 | 9 / 62 | |
| 0.74.0 | 9 / 62 | |
| 0.73.0 | 9 / 62 | |
| 0.72.1 | 9 / 62 | |
| 0.72.0 | 9 / 62 | |
| 0.71.0 | 9 / 62 | |
| 0.70.2 | 9 / 62 | |
| 0.70.1 | 9 / 62 | |
| 0.70.0 | 9 / 62 | |
| 0.69.0 | 9 / 65 | |
| 0.68.1 | 9 / 65 | |
| 0.68.0 | 9 / 65 | |
| 0.67.0 | 9 / 65 | |
| 0.66.4 | 9 / 67 | |
| 0.66.3 | 9 / 67 | |
| 0.66.2 | 9 / 67 | |
| 0.66.1 | 9 / 67 | |
| 0.66.0 | 9 / 67 | |
| 0.65.0 | 9 / 67 | |
| 0.64.0 | 9 / 74 | |
| 0.63.0 | 9 / 74 | |
| 0.62.3 | 9 / 74 | |
| 0.62.2 | 9 / 74 | |
| 0.62.1 | 9 / 74 |
v0.78.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.77.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.73.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-03-03, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.72.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-02-27, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.72.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-02-27, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.71.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-01-29, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.70.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-01-20, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.70.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (gazzo) than the most recent previously approved version (dougfabris) on 2026-01-19, but gazzo is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.70.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (dougfabris) than the most recent previously approved version (gazzo) on 2025-12-12, but dougfabris is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.69.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.68.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.68.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.67.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.66.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.66.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.66.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.66.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.66.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.65.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.64.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.63.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.62.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.62.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.62.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.