@sap-ux/cf-deploy-config-sub-generator
Generators for configuring Cloud Foundry deployment configuration
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): SAP monorepo migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern for this package going forward. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): sap-ospo-admin addition consistent with SAP OSS admin governance; not a hostile takeover signal. | ai | |
| dependencies | unvetted-dep:@sap-ux/btp-utils | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/feature-toggle | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/project-access | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/inquirer-common | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-devx/yeoman-ui-types | AI (dependencies): SAP DevX type definitions for Yeoman UI; expected in SAP generator toolchain. | ai | |
| dependencies | unvetted-dep:hasbin | AI (dependencies): Standard utility for checking binary availability; expected in a Yeoman generator context. | ai | |
| dependencies | unvetted-dep:@sap-ux/cf-deploy-config-writer | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/cf-deploy-config-inquirer | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:@sap-ux/deploy-config-generator-shared | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| provenance | no-provenance | AI (provenance): Large SAP monorepo; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| dependencies | unvetted-dep:@sap-ux/fiori-generator-shared | AI (dependencies): SAP open-ux-tools sibling package; expected internal dependency. | ai | |
| dependencies | unvetted-dep:yeoman-generator | AI (dependencies): Core Yeoman framework dependency; expected for this generator package. | ai |
Versions (showing 100 of 196)
| Version | Deps | Published |
|---|---|---|
| 1.0.9 | 12 / 14 | |
| 1.0.8 | 12 / 14 | |
| 1.0.7 | 12 / 14 | |
| 1.0.6 | 12 / 14 | |
| 1.0.5 | 12 / 14 | |
| 1.0.3 | 12 / 14 | |
| 1.0.2 | 12 / 14 | |
| 1.0.1 | 12 / 14 | |
| 1.0.0 | 12 / 14 | |
| 0.3.7 | 12 / 13 | |
| 0.3.6 | 12 / 13 | |
| 0.3.4 | 12 / 13 | |
| 0.3.3 | 12 / 13 | |
| 0.3.2 | 12 / 13 | |
| 0.3.1 | 12 / 13 | |
| 0.2.181 | 12 / 13 | |
| 0.2.180 | 12 / 13 | |
| 0.2.179 | 12 / 13 | |
| 0.2.178 | 12 / 13 | |
| 0.2.177 | 12 / 13 | |
| 0.2.176 | 12 / 13 | |
| 0.2.175 | 12 / 13 | |
| 0.2.174 | 12 / 13 | |
| 0.2.173 | 12 / 13 | |
| 0.2.172 | 12 / 13 | |
| 0.2.171 | 12 / 13 | |
| 0.2.170 | 12 / 13 | |
| 0.2.169 | 12 / 13 | |
| 0.2.168 | 12 / 13 | |
| 0.2.167 | 12 / 13 | |
| 0.2.166 | 12 / 13 | |
| 0.2.165 | 12 / 13 | |
| 0.2.164 | 12 / 13 | |
| 0.2.163 | 12 / 13 | |
| 0.2.162 | 12 / 13 | |
| 0.2.161 | 12 / 13 | |
| 0.2.160 | 12 / 13 | |
| 0.2.159 | 12 / 13 | |
| 0.2.158 | 12 / 13 | |
| 0.2.157 | 12 / 13 | |
| 0.2.156 | 12 / 13 | |
| 0.2.155 | 12 / 13 | |
| 0.2.154 | 12 / 13 | |
| 0.2.153 | 12 / 13 | |
| 0.2.152 | 12 / 13 | |
| 0.2.151 | 12 / 13 | |
| 0.2.150 | 12 / 13 | |
| 0.2.149 | 12 / 13 | |
| 0.2.148 | 12 / 13 | |
| 0.2.147 | 12 / 13 | |
| 0.2.146 | 12 / 13 | |
| 0.2.145 | 12 / 13 | |
| 0.2.144 | 12 / 13 | |
| 0.2.143 | 12 / 13 | |
| 0.2.142 | 12 / 13 | |
| 0.2.141 | 12 / 13 | |
| 0.2.139 | 12 / 13 | |
| 0.2.137 | 12 / 13 | |
| 0.2.136 | 12 / 13 | |
| 0.2.135 | 12 / 13 | |
| 0.2.134 | 12 / 13 | |
| 0.2.132 | 12 / 13 | |
| 0.2.131 | 12 / 13 | |
| 0.2.130 | 12 / 13 | |
| 0.2.129 | 12 / 13 | |
| 0.2.128 | 12 / 13 | |
| 0.2.127 | 12 / 13 | |
| 0.2.126 | 12 / 13 | |
| 0.2.125 | 12 / 13 | |
| 0.2.124 | 12 / 13 | |
| 0.2.123 | 12 / 13 | |
| 0.2.122 | 12 / 13 | |
| 0.2.121 | 12 / 13 | |
| 0.2.120 | 12 / 13 | |
| 0.2.119 | 12 / 13 | |
| 0.2.118 | 12 / 13 | |
| 0.2.117 | 12 / 13 | |
| 0.2.116 | 12 / 13 | |
| 0.2.115 | 12 / 13 | |
| 0.2.113 | 12 / 13 | |
| 0.2.112 | 12 / 13 | |
| 0.2.111 | 12 / 13 | |
| 0.2.110 | 12 / 13 | |
| 0.2.109 | 12 / 13 | |
| 0.2.108 | 12 / 13 | |
| 0.2.107 | 12 / 13 | |
| 0.2.106 | 12 / 13 | |
| 0.2.105 | 12 / 13 | |
| 0.2.104 | 12 / 13 | |
| 0.2.103 | 12 / 13 | |
| 0.2.102 | 12 / 13 | |
| 0.2.101 | 12 / 13 | |
| 0.2.100 | 12 / 13 | |
| 0.2.99 | 12 / 13 | |
| 0.2.98 | 12 / 13 | |
| 0.2.97 | 12 / 13 | |
| 0.2.96 | 12 / 13 | |
| 0.2.95 | 12 / 13 | |
| 0.2.94 | 12 / 13 | |
| 0.2.93 | 12 / 13 |
v1.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
2 findingsThis version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.2
2 findingsThis version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.181
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.180
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.179
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.178
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.177
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.176
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.174
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.173
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.172
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.171
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.170
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.169
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.168
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.167
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.166
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.165
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.164
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.163
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.162
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.161
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.160
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.159
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.158
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.157
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.156
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.155
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.154
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.153
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-20, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.152
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-18, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.151
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (devinea) than the most recent previously approved version (kranthie.sap) on 2026-03-17, but devinea is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.2.150
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.149
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.148
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.147
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.146
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.145
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.144
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.143
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.142
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.141
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.139
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.137
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.136
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.135
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.134
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.132
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.131
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.130
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.129
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.128
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.127
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.126
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.125
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.124
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.123
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.122
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.121
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.120
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.118
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.117
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.116
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.111
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.108
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.106
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.105
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.104
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.103
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.102
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.101
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.100
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.99
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.98
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.97
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.96
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.95
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.94
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.93
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.