@stackwright/build-scripts

Build-time scripts for Stackwright projects (prebuild image processing, YAML compilation)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

stackwright

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:zod	AI (phantom-deps): zod is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/23
source-diff	source-size-tripled	AI (source-diff): Size increase is consistent with tsup bundling the newly added @stackwright/types dependency into dist output. No obfuscation or payload signals present.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Internal Stackwright tooling package; lack of Sigstore provenance is a minor gap but not a blocker given the consistent org identity and clean publisher track record.	ai	2026/04/27

Versions (showing 10 of 10)

Version	Deps	Published
0.7.2	4 / 4	2026-05-15
0.7.1	4 / 5	2026-05-08
0.7.0	3 / 5	2026-05-06
0.6.0	3 / 5	2026-04-29
0.5.0	3 / 5	2026-04-27
0.4.0	2 / 5	2026-03-17
0.3.0	2 / 5	2026-03-13
0.2.1	2 / 5	2026-02-28
0.2.0	2 / 5	2026-02-28
0.1.1	1 / 5	2026-02-26

v0.7.2

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stackwright.