@sap-ux/fiori-mcp-server

SAP Fiori - Model Context Protocol (MCP) server

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tqueckkranthie.sapsap_extncrepossap-ospo-admindevinea

Keywords

SAP Fiori toolsSAP Fiori elementsSAP Fiori freestyleMCPAI

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): devinea is an established SAP publisher with 1746 approved packages; transition appears to be a legitimate org account change.	ai	2026/05/30
phantom-deps	phantom-dep:apache-arrow	AI (phantom-deps): apache-arrow is a peer/transitive dep of @lancedb/lancedb; not directly imported is expected for this package.	ai	2026/05/18
dependencies	unvetted-dep:mem-fs-editor	AI (dependencies): mem-fs-editor is a well-established Yeoman file-system utility; stable false positive for this SAP tooling package.	ai	2026/05/01
phantom-deps	phantom-dep:@xenova/transformers	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:mem-fs	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@sap-ux/fiori-docs-embeddings	AI (phantom-deps): Marked external in esbuild bundle; same SAP org scope, not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@sap-ux/store	AI (phantom-deps): Marked external in esbuild bundle; same SAP org scope, not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:mem-fs-editor	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@lancedb/lancedb	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30

Versions (showing 51 of 97)

View all versions

Version	Deps	Published
1.0.3	6 / 34	2026-06-04
1.0.2	6 / 34	2026-06-01
1.0.1	6 / 34	2026-05-31
1.0.0	6 / 33	2026-05-30
0.7.2	7 / 32	2026-05-27
0.7.1	7 / 32	2026-05-21
0.7.0	7 / 32	2026-05-15
0.6.58	7 / 32	2026-05-13
0.6.57	7 / 32	2026-05-12
0.6.56	7 / 32	2026-05-11
0.6.55	7 / 32	2026-05-07
0.6.54	6 / 32	2026-05-07
0.6.53	6 / 32	2026-05-04
0.6.52	6 / 32	2026-04-28
0.6.51	6 / 32	2026-04-23
0.6.50	6 / 32	2026-04-23
0.6.49	6 / 32	2026-04-14
0.6.48	6 / 32	2026-04-08
0.6.47	6 / 32	2026-03-30
0.6.46	6 / 33	2026-03-26
0.6.45	6 / 33	2026-03-23
0.6.44	6 / 33	2026-03-17
0.6.43	6 / 33	2026-03-16
0.6.42	6 / 33	2026-03-13
0.6.41	6 / 33	2026-03-05
0.6.40	6 / 33	2026-03-05
0.6.39	6 / 33	2026-03-04
0.6.38	6 / 33	2026-03-04
0.6.37	6 / 33	2026-03-03
0.6.36	6 / 33	2026-02-27
0.6.35	6 / 33	2026-02-26
0.6.34	6 / 33	2026-02-23
0.6.33	6 / 33	2026-02-21
0.6.32	6 / 33	2026-02-20
0.6.31	6 / 33	2026-02-20
0.6.30	6 / 33	2026-02-18
0.6.29	6 / 33	2026-02-13
0.6.28	6 / 33	2026-02-10
0.6.27	6 / 33	2026-02-05
0.6.26	6 / 33	2026-02-05
0.6.25	6 / 33	2026-02-05
0.6.24	6 / 33	2026-02-04
0.6.23	6 / 34	2026-02-04
0.6.22	6 / 31	2026-02-03
0.6.21	6 / 31	2026-02-02
0.6.20	6 / 31	2026-01-30
0.6.19	6 / 31	2026-01-30
0.6.18	6 / 31	2026-01-29
0.6.17	6 / 31	2026-01-29
0.6.16	6 / 31	2026-01-28
0.6.15	6 / 31	2026-01-28

v1.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.2

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.1

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.