@sap-ux/cf-deploy-config-sub-generator
Generators for configuring Cloud Foundry deployment configuration
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): SAP monorepo migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern for this package going forward. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): sap-ospo-admin addition consistent with SAP OSS admin governance; not a hostile takeover signal. | ai | |
| dependencies | unvetted-dep:@sap-ux/btp-utils | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/feature-toggle | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/project-access | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/inquirer-common | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-devx/yeoman-ui-types | AI (dependencies): SAP DevX type definitions for Yeoman UI; expected in SAP generator toolchain. | ai | |
| dependencies | unvetted-dep:hasbin | AI (dependencies): Standard utility for checking binary availability; expected in a Yeoman generator context. | ai | |
| dependencies | unvetted-dep:@sap-ux/cf-deploy-config-writer | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/cf-deploy-config-inquirer | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/deploy-config-generator-shared | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| provenance | no-provenance | AI (provenance): Large SAP monorepo; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:@sap-ux/fiori-generator-shared | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:yeoman-generator | AI (dependencies): Core Yeoman framework dependency; expected for this generator package. | ai |
Versions (showing 51 of 193)
| Version | Deps | Published |
|---|---|---|
| 1.0.6 | 12 / 14 | |
| 1.0.5 | 12 / 14 | |
| 1.0.3 | 12 / 14 | |
| 1.0.2 | 12 / 14 | |
| 1.0.1 | 12 / 14 | |
| 1.0.0 | 12 / 14 | |
| 0.3.7 | 12 / 13 | |
| 0.3.6 | 12 / 13 | |
| 0.3.4 | 12 / 13 | |
| 0.3.3 | 12 / 13 | |
| 0.3.2 | 12 / 13 | |
| 0.3.1 | 12 / 13 | |
| 0.2.181 | 12 / 13 | |
| 0.2.180 | 12 / 13 | |
| 0.2.179 | 12 / 13 | |
| 0.2.178 | 12 / 13 | |
| 0.2.177 | 12 / 13 | |
| 0.2.176 | 12 / 13 | |
| 0.2.175 | 12 / 13 | |
| 0.2.174 | 12 / 13 | |
| 0.2.173 | 12 / 13 | |
| 0.2.172 | 12 / 13 | |
| 0.2.171 | 12 / 13 | |
| 0.2.170 | 12 / 13 | |
| 0.2.169 | 12 / 13 | |
| 0.2.168 | 12 / 13 | |
| 0.2.167 | 12 / 13 | |
| 0.2.166 | 12 / 13 | |
| 0.2.165 | 12 / 13 | |
| 0.2.164 | 12 / 13 | |
| 0.2.163 | 12 / 13 | |
| 0.2.162 | 12 / 13 | |
| 0.2.161 | 12 / 13 | |
| 0.2.160 | 12 / 13 | |
| 0.2.159 | 12 / 13 | |
| 0.2.158 | 12 / 13 | |
| 0.2.157 | 12 / 13 | |
| 0.2.156 | 12 / 13 | |
| 0.2.155 | 12 / 13 | |
| 0.2.154 | 12 / 13 | |
| 0.2.153 | 12 / 13 | |
| 0.2.152 | 12 / 13 | |
| 0.2.151 | 12 / 13 | |
| 0.2.150 | 12 / 13 | |
| 0.2.149 | 12 / 13 | |
| 0.2.148 | 12 / 13 | |
| 0.2.147 | 12 / 13 | |
| 0.2.146 | 12 / 13 | |
| 0.2.145 | 12 / 13 | |
| 0.2.144 | 12 / 13 | |
| 0.2.143 | 12 / 13 |
v1.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
2 findingsThis version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
2 findingsThis version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.181
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.180
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.179
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.178
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.177
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.176
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.174
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.173
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.172
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.171
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.170
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.169
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.168
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.167
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.166
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.165
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.164
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.163
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.162
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.161
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.160
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.159
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.158
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.157
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.156
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.155
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.154
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.153
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-20, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.152
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-18, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.151
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-17, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.150
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.149
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.148
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.147
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.146
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.145
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.144
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.143
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.