@squidcloud/local-backend

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tsouza-squidmfursovsquid.cloudwynnch-squid-aiyossisquidetaiatsquidrobbert_squidvictor-at-squid

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:tsoa	AI (phantom-deps): tsoa is a declared runtime dep used via config/CLI, not direct import; stable FP for this package.	ai	2026/04/28
phantom-deps	phantom-dep:express	AI (phantom-deps): express is used via NestJS platform adapter, not direct import; stable FP.	ai	2026/04/28
phantom-deps	phantom-dep:graphql	AI (phantom-deps): graphql is a peer/runtime dep consumed indirectly; stable FP.	ai	2026/04/28
phantom-deps	phantom-dep:json-schema-typed	AI (phantom-deps): json-schema-typed used via tsoa config; stable FP.	ai	2026/04/28
phantom-deps	phantom-dep:@nestjs/platform-express	AI (phantom-deps): NestJS platform adapter registered via module config, not direct import; stable FP.	ai	2026/04/28

Versions (showing 7 of 7)

Version	Deps	Published
1.0.461	16 / 7	2026-04-25
1.0.459	16 / 7	2026-04-22
1.0.458	16 / 7	2026-04-17
1.0.456	16 / 7	2026-04-07
1.0.454	16 / 7	2026-04-03
1.0.452	16 / 7	2026-03-30
1.0.414	14 / 5	2025-11-04