@sap-ux/app-config-writer

Add or update configuration for SAP Fiori tools application

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tqueckkranthie.sapsap_extncrepossap-ospo-admindevinea

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): SAP/open-ux-tools migrated to GitHub Actions CI publishing with SLSA attestation; this is expected for the package.	ai	2026/05/29
dependencies	unvetted-dep:mem-fs-editor	AI (dependencies): mem-fs-editor is a standard Yeoman/generator utility; stable false positive for this SAP tooling package.	ai	2026/05/27
provenance	no-provenance	AI (provenance): SAP open-ux-tools monorepo; provenance not currently published for this package family, stable false positive.	ai	2026/05/26

Versions (showing 51 of 86)

View all versions

Version	Deps	Published
1.0.5	15 / 10	2026-06-04
1.0.4	15 / 10	2026-06-04
1.0.2	15 / 10	2026-06-03
1.0.1	15 / 10	2026-06-01
1.0.0	15 / 10	2026-05-30
0.7.6	15 / 9	2026-05-27
0.7.5	15 / 9	2026-05-27
0.7.4	15 / 9	2026-05-26
0.7.3	15 / 9	2026-05-21
0.7.2	15 / 9	2026-05-19
0.7.1	15 / 9	2026-05-15
0.6.144	15 / 9	2026-05-13
0.6.143	15 / 9	2026-05-06
0.6.142	15 / 9	2026-04-30
0.6.141	15 / 9	2026-04-29
0.6.140	15 / 9	2026-04-27
0.6.139	15 / 9	2026-04-27
0.6.137	15 / 9	2026-04-23
0.6.132	15 / 9	2026-04-01
0.6.131	15 / 9	2026-03-30
0.6.130	15 / 9	2026-03-27
0.6.123	15 / 9	2026-03-18
0.6.120	15 / 9	2026-03-06
0.6.118	15 / 9	2026-03-05
0.6.116	15 / 9	2026-03-05
0.6.115	15 / 9	2026-03-05
0.6.114	15 / 9	2026-03-05
0.6.112	14 / 8	2026-03-04
0.6.108	14 / 8	2026-02-26
0.6.105	14 / 8	2026-02-21
0.6.100	14 / 8	2026-02-16
0.6.98	14 / 8	2026-02-16
0.6.97	13 / 8	2026-02-13
0.6.96	13 / 8	2026-02-13
0.6.94	13 / 8	2026-02-11
0.6.89	13 / 8	2026-02-05
0.6.87	13 / 8	2026-02-03
0.6.86	13 / 8	2026-01-30
0.6.85	13 / 8	2026-01-29
0.6.83	13 / 8	2026-01-26
0.6.82	13 / 8	2026-01-24
0.6.81	13 / 8	2026-01-23
0.6.79	13 / 8	2026-01-16
0.6.78	13 / 8	2026-01-15
0.6.76	13 / 8	2026-01-12
0.6.75	13 / 8	2026-01-09
0.6.74	13 / 8	2026-01-08
0.6.73	13 / 8	2026-01-07
0.6.71	13 / 8	2025-12-19
0.6.69	13 / 8	2025-12-18
0.6.68	13 / 8	2025-12-16

v1.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.6

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.5

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.4

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.3

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.2

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.1

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.144

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.143

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.142

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.141

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.139

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.137

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.132

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.131

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.130

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.123

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.120

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.118

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.116

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.115

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.114

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.112

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.108

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.105

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.100

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.98

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.97

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.96

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.94

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.89

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.87

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.86

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.85

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.83

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.82

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.81

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.79

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.78

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.76

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.75

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.74

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.73

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.71

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.69

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.68

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.