@sap-ux/environment-check

SAP Fiori environment check

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tqueckkranthie.sapsap_extncrepossap-ospo-admindevinea

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from human publisher to GitHub Actions CI/CD is confirmed by SLSA provenance attestation; expected for SAP open-ux-tools repo.	ai	2026/06/01
dependencies	unvetted-dep:@sap/bas-sdk	AI (dependencies): First-party SAP SDK; expected dependency for SAP BAS environment checks in this package.	ai	2026/05/30
provenance	no-provenance	AI (provenance): SAP UX monorepo packages consistently lack Sigstore provenance; stable false positive for this package family.	ai	2026/05/26
phantom-deps	phantom-dep:@sap-ux/ui5-config	AI (phantom-deps): @sap-ux/ui5-config is a declared dep in the same SAP monorepo; phantom-dep heuristic is a stable false positive here.	ai	2026/04/29

Versions (showing 51 of 86)

View all versions

Version	Deps	Published
1.0.5	15 / 5	2026-06-04
1.0.4	15 / 5	2026-06-04
1.0.2	15 / 5	2026-06-03
1.0.1	15 / 5	2026-06-01
1.0.0	15 / 5	2026-05-30
0.19.4	15 / 4	2026-05-27
0.19.3	15 / 4	2026-05-26
0.19.2	15 / 4	2026-05-21
0.19.1	15 / 4	2026-05-19
0.19.0	15 / 4	2026-05-15
0.18.126	15 / 4	2026-05-13
0.18.125	15 / 4	2026-05-06
0.18.124	15 / 4	2026-04-30
0.18.123	15 / 4	2026-04-29
0.18.122	15 / 4	2026-04-27
0.18.117	15 / 4	2026-04-08
0.18.115	15 / 4	2026-03-30
0.18.114	15 / 4	2026-03-27
0.18.112	15 / 4	2026-03-26
0.18.110	15 / 4	2026-03-23
0.18.109	15 / 4	2026-03-20
0.18.107	15 / 4	2026-03-17
0.18.106	15 / 4	2026-03-06
0.18.104	15 / 4	2026-03-05
0.18.103	15 / 4	2026-03-05
0.18.101	15 / 4	2026-03-04
0.18.100	15 / 4	2026-03-03
0.18.99	15 / 4	2026-02-27
0.18.98	15 / 4	2026-02-26
0.18.97	15 / 4	2026-02-23
0.18.95	15 / 4	2026-02-21
0.18.92	15 / 4	2026-02-20
0.18.88	15 / 4	2026-02-13
0.18.86	15 / 4	2026-02-12
0.18.84	15 / 4	2026-02-09
0.18.82	15 / 4	2026-02-05
0.18.81	15 / 4	2026-02-05
0.18.80	15 / 4	2026-02-05
0.18.79	15 / 4	2026-02-04
0.18.78	15 / 4	2026-02-03
0.18.76	15 / 4	2026-01-29
0.18.74	15 / 4	2026-01-26
0.18.71	15 / 4	2026-01-16
0.18.67	15 / 4	2026-01-12
0.18.66	15 / 4	2026-01-09
0.18.64	15 / 4	2026-01-07
0.18.63	15 / 4	2025-12-22
0.18.61	15 / 4	2025-12-18
0.18.60	15 / 4	2025-12-18
0.18.58	15 / 4	2025-12-15
0.18.57	15 / 4	2025-12-14

v1.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.4

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.3

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.2

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.1

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.0

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.