@steedos/service-community
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:moleculer-repl | AI (dependencies): Standard Moleculer framework REPL tool; consistent with Moleculer-based architecture. | ai | |
| dependencies | unvetted-dep:aliyun-sdk | AI (dependencies): Alibaba Cloud SDK; expected dependency for a platform targeting Chinese enterprise market. | ai | |
| dependencies | unvetted-dep:redlock | AI (dependencies): Well-known Redis distributed lock library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@steedos-labs/plugin-package-store | AI (dependencies): Steedos labs package; consistent with platform ecosystem. | ai | |
| dependencies | unvetted-dep:@steedos/service-package-registry | AI (dependencies): Same-org @steedos/* package; part of the platform monorepo. | ai | |
| dependencies | unvetted-dep:@steedos-builder/amis-editor | AI (dependencies): Same Steedos org builder package; consistent with platform's UI tooling. | ai | |
| phantom-deps | phantom-dep:query-string | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:node-schedule | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:randomstring | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Major version release (v3.0.0) after platform refactor; established org publisher with 28 approved packages. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): v2→v3 major version bump; new deps are all @steedos/* org packages consistent with platform consolidation. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Config-file reference in large platform bundle; stable false positive. | ai | |
| phantom-deps | phantom-dep:steedos-cli | AI (phantom-deps): Config-file reference; stable false positive for this platform package. | ai | |
| phantom-deps | phantom-dep:isomorphic-fetch | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:promise-queue | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:bignumber.js | AI (phantom-deps): Config-file reference; stable false positive. | ai | |
| phantom-deps | phantom-dep:aliyun-sdk | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:async-retry | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:dotenv-flow | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:randomcolor | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:notepack.io | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:md5 | AI (phantom-deps): Large aggregator package; deps declared for downstream consumers, not direct imports. | ai | |
| phantom-deps | phantom-dep:keyv | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:mysql | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): Known implicit runtime dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:bcrypt | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:cbor-x | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:redlock | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:crypto-js | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:js-base64 | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:node-xlsx | AI (phantom-deps): Same aggregator pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pg | AI (phantom-deps): Config-referenced optional peer dep in a platform aggregator; stable pattern. | ai | |
| phantom-deps | phantom-dep:@steedos/steedos-plugin-schema-builder | AI (phantom-deps): Same-org dep in a monorepo aggregator; stable false positive. | ai | |
| phantom-deps | phantom-dep:@steedos/service-saas | AI (phantom-deps): Same-org dep in a monorepo aggregator; stable false positive. | ai | |
| phantom-deps | phantom-dep:@steedos/service-package-loader | AI (phantom-deps): Same-org dep in a monorepo aggregator; stable false positive. | ai | |
| phantom-deps | phantom-dep:@steedos/server | AI (phantom-deps): Same-org dep in a monorepo aggregator; stable false positive. | ai | |
| phantom-deps | phantom-dep:moleculer-repl | AI (phantom-deps): Config-referenced optional dep; stable for this aggregator package. | ai | |
| phantom-deps | phantom-dep:moleculer-cron | AI (phantom-deps): Config-referenced optional dep; stable for this aggregator package. | ai | |
| phantom-deps | phantom-dep:nats | AI (phantom-deps): Config-referenced optional transport dep; stable for this package. | ai | |
| phantom-deps | phantom-dep:ioredis | AI (phantom-deps): Config-referenced optional peer dep; stable for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 3.0.13 | 61 / 0 | |
| 3.0.12 | 61 / 0 | |
| 3.0.8 | 63 / 0 | |
| 3.0.7 | 63 / 0 | |
| 3.0.6 | 63 / 0 | |
| 3.0.4 | 63 / 0 | |
| 3.0.3 | 63 / 0 | |
| 3.0.2 | 63 / 0 | |
| 3.0.1 | 65 / 0 | |
| 3.0.0 | 65 / 0 | |
| 2.7.32 | 57 / 0 | |
| 2.7.31 | 57 / 0 | |
| 2.7.30 | 57 / 0 | |
| 2.7.29 | 57 / 0 | |
| 2.7.28 | 57 / 0 | |
| 2.7.27 | 57 / 0 | |
| 2.7.25 | 57 / 0 | |
| 2.7.24 | 57 / 0 | |
| 2.7.23 | 57 / 0 |
v3.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.