@sap-ux/fiori-mcp-server

SAP Fiori - Model Context Protocol (MCP) server

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tqueckkranthie.sapsap_extncrepossap-ospo-admindevinea

Keywords

SAP Fiori toolsSAP Fiori elementsSAP Fiori freestyleMCPAI

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): devinea is an established SAP publisher with 1746 approved packages; transition appears to be a legitimate org account change.	ai	2026/05/30
phantom-deps	phantom-dep:apache-arrow	AI (phantom-deps): apache-arrow is a peer/transitive dep of @lancedb/lancedb; not directly imported is expected for this package.	ai	2026/05/18
dependencies	unvetted-dep:mem-fs-editor	AI (dependencies): mem-fs-editor is a well-established Yeoman file-system utility; stable false positive for this SAP tooling package.	ai	2026/05/01
phantom-deps	phantom-dep:@xenova/transformers	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:mem-fs	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@sap-ux/fiori-docs-embeddings	AI (phantom-deps): Marked external in esbuild bundle; same SAP org scope, not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@sap-ux/store	AI (phantom-deps): Marked external in esbuild bundle; same SAP org scope, not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:mem-fs-editor	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30
phantom-deps	phantom-dep:@lancedb/lancedb	AI (phantom-deps): Marked external in esbuild bundle; not directly imported in bundled output by design.	ai	2026/04/30

Versions (showing 97 of 97)

Version	Deps	Published
1.0.3	6 / 34	2026-06-04
1.0.2	6 / 34	2026-06-01
1.0.1	6 / 34	2026-05-31
1.0.0	6 / 33	2026-05-30
0.7.2	7 / 32	2026-05-27
0.7.1	7 / 32	2026-05-21
0.7.0	7 / 32	2026-05-15
0.6.58	7 / 32	2026-05-13
0.6.57	7 / 32	2026-05-12
0.6.56	7 / 32	2026-05-11
0.6.55	7 / 32	2026-05-07
0.6.54	6 / 32	2026-05-07
0.6.53	6 / 32	2026-05-04
0.6.52	6 / 32	2026-04-28
0.6.51	6 / 32	2026-04-23
0.6.50	6 / 32	2026-04-23
0.6.49	6 / 32	2026-04-14
0.6.48	6 / 32	2026-04-08
0.6.47	6 / 32	2026-03-30
0.6.46	6 / 33	2026-03-26
0.6.45	6 / 33	2026-03-23
0.6.44	6 / 33	2026-03-17
0.6.43	6 / 33	2026-03-16
0.6.42	6 / 33	2026-03-13
0.6.41	6 / 33	2026-03-05
0.6.40	6 / 33	2026-03-05
0.6.39	6 / 33	2026-03-04
0.6.38	6 / 33	2026-03-04
0.6.37	6 / 33	2026-03-03
0.6.36	6 / 33	2026-02-27
0.6.35	6 / 33	2026-02-26
0.6.34	6 / 33	2026-02-23
0.6.33	6 / 33	2026-02-21
0.6.32	6 / 33	2026-02-20
0.6.31	6 / 33	2026-02-20
0.6.30	6 / 33	2026-02-18
0.6.29	6 / 33	2026-02-13
0.6.28	6 / 33	2026-02-10
0.6.27	6 / 33	2026-02-05
0.6.26	6 / 33	2026-02-05
0.6.25	6 / 33	2026-02-05
0.6.24	6 / 33	2026-02-04
0.6.23	6 / 34	2026-02-04
0.6.22	6 / 31	2026-02-03
0.6.21	6 / 31	2026-02-02
0.6.20	6 / 31	2026-01-30
0.6.19	6 / 31	2026-01-30
0.6.18	6 / 31	2026-01-29
0.6.17	6 / 31	2026-01-29
0.6.16	6 / 31	2026-01-28
0.6.15	6 / 31	2026-01-28
0.6.14	6 / 31	2026-01-24
0.6.13	6 / 31	2026-01-23
0.6.12	6 / 31	2026-01-23
0.6.11	6 / 31	2026-01-23
0.6.10	6 / 31	2026-01-19
0.6.9	6 / 31	2026-01-17
0.6.8	6 / 31	2026-01-16
0.6.7	6 / 31	2026-01-13
0.6.6	6 / 31	2026-01-12
0.6.5	6 / 31	2026-01-12
0.6.4	6 / 31	2026-01-09
0.6.3	6 / 31	2026-01-08
0.6.2	6 / 31	2025-12-19
0.6.1	6 / 31	2025-12-18
0.6.0	6 / 31	2025-12-18
0.5.2	6 / 31	2025-12-16
0.5.1	6 / 31	2025-12-15
0.5.0	6 / 31	2025-12-14
0.4.11	6 / 31	2025-12-12
0.4.10	6 / 31	2025-12-11
0.4.9	6 / 30	2025-12-09
0.4.8	6 / 30	2025-12-04
0.4.7	6 / 30	2025-12-03
0.4.6	6 / 30	2025-12-02
0.4.5	6 / 30	2025-12-01
0.4.4	5 / 31	2025-11-28
0.4.2	5 / 29	2025-11-26
0.4.1	5 / 29	2025-11-14
0.4.0	5 / 29	2025-11-10
0.3.3	5 / 23	2025-11-06
0.3.2	5 / 23	2025-11-05
0.3.1	5 / 23	2025-10-29
0.3.0	5 / 23	2025-10-27
0.2.5	3 / 22	2025-10-21
0.2.4	3 / 22	2025-10-15
0.0.11	12 / 6	2025-09-16
0.0.10	12 / 6	2025-09-16
0.0.9	12 / 6	2025-09-15
0.0.8	12 / 6	2025-09-12
0.0.7	12 / 6	2025-09-11
0.0.6	12 / 6	2025-09-11
0.0.5	8 / 6	2025-09-10
0.0.4	8 / 6	2025-09-05
0.0.3	8 / 6	2025-09-05
0.0.2	8 / 6	2025-09-03
0.0.1	8 / 6	2025-09-02

v1.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.2

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.1

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

2 findings

HIGH Publisher changed: devinea → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.