@sap-ux/backend-proxy-middleware-cf

UI5 server middleware using @sap/approuter for CF-style destinations and xs-app.json

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tqueckkranthie.sapsap_extncrepossap-ospo-admindevinea

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): SAP monorepo migrated to GitHub Actions CI/CD publishing; SLSA attestation confirms official repo origin.	ai	2026/05/30
maintainer-change	maintainer-added	AI (maintainer-change): sap-ospo-admin is SAP's OSS admin account; consistent with org-level governance change.	ai	2026/05/30
dependencies	unvetted-dep:@sap-ux/adp-tooling	AI (dependencies): Sibling SAP open-ux-tools package from the same org/repo; stable false positive for this package.	ai	2026/05/26
provenance	no-provenance	AI (provenance): SAP open-ux-tools monorepo does not publish with Sigstore provenance; stable pattern across all versions.	ai	2026/04/29

Versions (showing 51 of 129)

View all versions

Version	Deps	Published
0.3.8	9 / 5	2026-06-04
0.3.7	9 / 5	2026-06-04
0.3.6	9 / 5	2026-06-04
0.3.4	9 / 5	2026-06-03
0.3.3	9 / 5	2026-06-02
0.3.1	9 / 5	2026-06-01
0.3.0	9 / 5	2026-05-30
0.2.11	9 / 4	2026-05-29
0.2.10	9 / 4	2026-05-29
0.2.9	9 / 4	2026-05-27
0.2.7	9 / 4	2026-05-26
0.2.6	9 / 4	2026-05-22
0.2.5	9 / 4	2026-05-21
0.2.3	9 / 4	2026-05-19
0.2.2	9 / 4	2026-05-18
0.2.1	9 / 4	2026-05-15
0.1.22	9 / 4	2026-05-13
0.1.21	9 / 4	2026-05-12
0.1.20	9 / 4	2026-05-06
0.1.19	9 / 4	2026-05-01
0.1.17	9 / 4	2026-04-30
0.1.16	9 / 4	2026-04-30
0.1.15	9 / 4	2026-04-29
0.1.14	9 / 4	2026-04-27
0.1.13	9 / 4	2026-04-27
0.1.12	9 / 4	2026-04-23
0.1.11	9 / 4	2026-04-23
0.1.10	9 / 4	2026-04-22
0.1.9	9 / 4	2026-04-17
0.1.8	9 / 4	2026-04-15
0.1.7	9 / 4	2026-04-15
0.1.6	9 / 4	2026-04-14
0.1.5	9 / 4	2026-04-14
0.1.4	9 / 4	2026-04-14
0.1.3	9 / 4	2026-04-09
0.1.2	9 / 4	2026-04-08
0.1.1	9 / 4	2026-04-07
0.1.0	9 / 4	2026-04-01
0.0.99	5 / 8	2026-04-01
0.0.98	5 / 8	2026-04-01
0.0.97	5 / 8	2026-03-30
0.0.96	5 / 8	2026-03-27
0.0.95	5 / 8	2026-03-27
0.0.94	5 / 8	2026-03-26
0.0.93	5 / 8	2026-03-26
0.0.92	5 / 8	2026-03-26
0.0.91	5 / 8	2026-03-26
0.0.90	5 / 8	2026-03-25
0.0.89	5 / 8	2026-03-23
0.0.88	5 / 8	2026-03-23
0.0.87	5 / 8	2026-03-20

v0.3.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.11

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-29) provenance

This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.10

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-29) provenance

This version was published by a different npm account than previous versions on 2026-05-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.9

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.7

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.6

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-22) provenance

This version was published by a different npm account than previous versions on 2026-05-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.5

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.3

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.2

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-18) provenance

This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.