← Home

@sourceloop/user-tenant-service

npm Repository Homepage

Sourceloop User Tenant Service

7
Versions
MIT
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

samarpan_sfnpm-sourcefusedev-hitesh-guptaakshatdubeysfbarleendhaliwalsfankurb1999yeshasfabir.ganguly

Keywords

loopback-extensionloopback

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publisher with SLSA attestation; consistent with sourcefuse org automation. ai
dependencies unvetted-dep:@loopback/core AI (dependencies): Core LoopBack framework package from IBM/StrongLoop; stable ecosystem dependency. ai
dependencies unvetted-dep:@loopback/repository AI (dependencies): Core LoopBack framework package from IBM/StrongLoop; stable ecosystem dependency. ai
dependencies unvetted-dep:@loopback/service-proxy AI (dependencies): Core LoopBack framework package from IBM/StrongLoop; stable ecosystem dependency. ai
dependencies unvetted-dep:@loopback/boot AI (dependencies): Core LoopBack framework package from IBM/StrongLoop; stable ecosystem dependency. ai
dependencies unvetted-dep:loopback4-soft-delete AI (dependencies): Well-known LoopBack extension from SourceFuse ecosystem; stable dependency. ai
dependencies unvetted-dep:loopback4-authorization AI (dependencies): Well-known LoopBack extension from SourceFuse ecosystem; stable dependency. ai
dependencies unvetted-dep:loopback4-authentication AI (dependencies): Well-known LoopBack extension from SourceFuse ecosystem; stable dependency. ai
dependencies unvetted-dep:@sourceloop/core AI (dependencies): SourceFuse's own core library; same publisher/monorepo as this package. ai
phantom-deps phantom-dep:@loopback/rest-explorer AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
install-scripts install-script:postinstall AI (install-scripts): Runs node migration.js — standard DB migration for this SourceFuse microservice; stable pattern across all versions. ai
phantom-deps phantom-dep:@loopback/service-proxy AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:bcrypt AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:dotenv AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:nanoid AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:prom-client AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:jsonwebtoken AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:@loopback/openapi-v3 AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai
phantom-deps phantom-dep:loopback4-soft-delete AI (phantom-deps): Used in migration/config files; heuristic false positive for this service package. ai

Versions (showing 7 of 7)

Version Deps Published
7.1.0 20 / 14
7.0.6 20 / 14
7.0.5 20 / 14
7.0.4 20 / 14
7.0.3 20 / 14
7.0.2 20 / 14
7.0.0 21 / 14

v7.1.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node migration.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.2

2 findings
HIGH Publisher changed: yeshasf → GitHub Actions (on 2026-01-02) provenance

This version was published by a different npm account than previous versions on 2026-01-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.