@sora-soft/redis-component WTFPL 8 versions

@sora-soft/redis-component

npm Repository Homepage

sora system redis component

8

Versions

WTFPL

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

q619389112xyyaya

Keywords

soraredis

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@sora-soft/define-transform	AI (phantom-deps): Same org scope; used as a build/type dependency, stable false positive for this package.	ai	2026/05/30
publish-pattern	dormant-publish	AI (publish-pattern): Established sora-soft org package with 25 versions; long gap followed by routine version bump with no suspicious changes.	ai	2026/05/16
dependencies	unvetted-dep:redlock	AI (dependencies): redlock is a well-known Redis distributed lock library; its use is expected and appropriate for this Redis component.	ai	2026/04/30
provenance	no-provenance	AI (provenance): Established package with consistent repo history; lack of provenance is common and not a risk indicator here.	ai	2026/04/29

Versions (showing 8 of 8)

Version	Deps	Published
2.2.1	5 / 3	2026-05-29
2.2.0	4 / 3	2026-04-30
2.1.0	4 / 7	2026-04-27
2.0.4	4 / 7	2026-04-27
2.0.3	4 / 7	2026-04-27
2.0.2	4 / 4	2026-04-25
2.0.1	4 / 4	2026-04-23
2.0.0	4 / 4	2026-04-22

v2.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.