@sap-cloud-sdk/eslint-config
eslint config for the SAP Cloud SDK
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): eslint-plugin-import-x is a well-known fork/replacement for eslint-plugin-import; swap is intentional and benign. | ai | |
| dependencies | unvetted-dep:eslint-plugin-regex | AI (dependencies): eslint-plugin-regex is a legitimate ESLint plugin for regex-based linting rules; its use in an ESLint config package is expected and benign across all versions. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config packages reference plugins/parsers by string name in config objects, not via require(). This is the standard pattern; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-prettier | AI (phantom-deps): ESLint config packages reference plugins/parsers by string name in config objects, not via require(). This is the standard pattern; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint config packages reference parsers by string name in config objects, not via require(). This is the standard pattern; not a real phantom dep. | ai | |
| phantom-deps | phantom-dep:eslint-import-resolver-typescript | AI (phantom-deps): ESLint config packages reference resolvers by string name in config objects, not via require(). This is the standard pattern; not a real phantom dep. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 4.7.0 | 10 / 0 | |
| 4.6.0 | 11 / 0 | |
| 4.5.1 | 11 / 0 | |
| 4.5.0 | 11 / 0 | |
| 4.4.0 | 11 / 0 | |
| 4.3.1 | 11 / 0 | |
| 4.3.0 | 11 / 0 | |
| 4.2.0 | 11 / 0 | |
| 4.1.2 | 11 / 0 | |
| 4.1.1 | 11 / 0 | |
| 4.1.0 | 11 / 0 |
v4.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.