@sap-ux/fiori-annotation-api
Library that provides API for reading and writing annotations in SAP Fiori elements projects.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): SAP org migrated to GitHub Actions CI/CD publishing; SLSA provenance attestation confirms legitimate automated pipeline. | ai | |
| provenance | no-provenance | AI (provenance): SAP UX monorepo packages consistently lack Sigstore provenance; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@xml-tools/ast | AI (dependencies): Standard XML tooling dependency; expected for annotation parsing. | ai | |
| dependencies | unvetted-dep:@sap-ux/odata-entity-model | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/odata-vocabularies | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/vocabularies-types | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap/ux-cds-compiler-facade | AI (dependencies): SAP-scoped CDS compiler facade; expected dependency for this annotation API. | ai | |
| dependencies | unvetted-dep:@sap-ux/cds-annotation-parser | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/odata-annotation-core | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/odata-annotation-core-types | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/cds-odata-annotation-converter | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/xml-odata-annotation-converter | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:@sap-ux/annotation-converter | AI (dependencies): SAP-scoped sibling package; stable dependency in this monorepo. | ai | |
| dependencies | unvetted-dep:mem-fs-editor | AI (dependencies): Well-known mem-fs-editor package; stable dependency for this SAP tooling package. | ai | |
| phantom-deps | phantom-dep:@sap-ux/annotation-converter | AI (phantom-deps): Same-org SAP package; declared as dep and used transitively. Stable false positive for this monorepo package. | ai |
Versions (showing 51 of 70)
| Version | Deps | Published |
|---|---|---|
| 1.0.5 | 17 / 5 | |
| 1.0.4 | 17 / 5 | |
| 1.0.2 | 17 / 5 | |
| 1.0.1 | 17 / 5 | |
| 1.0.0 | 17 / 5 | |
| 0.11.1 | 17 / 4 | |
| 0.11.0 | 17 / 4 | |
| 0.10.1 | 17 / 4 | |
| 0.10.0 | 17 / 4 | |
| 0.9.49 | 17 / 4 | |
| 0.9.48 | 17 / 4 | |
| 0.9.47 | 17 / 4 | |
| 0.9.46 | 17 / 4 | |
| 0.9.45 | 17 / 4 | |
| 0.9.43 | 17 / 4 | |
| 0.9.39 | 17 / 4 | |
| 0.9.38 | 17 / 4 | |
| 0.9.35 | 17 / 4 | |
| 0.9.34 | 17 / 4 | |
| 0.9.31 | 17 / 4 | |
| 0.9.30 | 17 / 4 | |
| 0.9.29 | 17 / 4 | |
| 0.9.27 | 17 / 4 | |
| 0.9.26 | 17 / 4 | |
| 0.9.23 | 17 / 4 | |
| 0.9.22 | 17 / 4 | |
| 0.9.18 | 17 / 4 | |
| 0.9.16 | 17 / 4 | |
| 0.9.15 | 17 / 4 | |
| 0.9.13 | 17 / 4 | |
| 0.9.11 | 17 / 4 | |
| 0.9.9 | 17 / 4 | |
| 0.9.7 | 17 / 4 | |
| 0.9.5 | 17 / 4 | |
| 0.9.4 | 17 / 4 | |
| 0.9.1 | 17 / 4 | |
| 0.8.6 | 17 / 4 | |
| 0.8.5 | 17 / 4 | |
| 0.8.2 | 17 / 4 | |
| 0.8.1 | 17 / 4 | |
| 0.7.23 | 17 / 4 | |
| 0.7.22 | 17 / 4 | |
| 0.7.18 | 17 / 4 | |
| 0.7.17 | 17 / 4 | |
| 0.7.16 | 17 / 4 | |
| 0.7.14 | 17 / 4 | |
| 0.7.13 | 17 / 4 | |
| 0.7.10 | 17 / 4 | |
| 0.7.9 | 17 / 4 | |
| 0.7.8 | 17 / 4 | |
| 0.7.7 | 17 / 4 |
v1.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
2 findingsThis version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.46
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.