@storm-software/config-tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from stormie-bot to GitHub Actions with SLSA provenance attestation; this is a legitimate CI/CD pipeline transition for this monorepo package, not a compromise signal. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): This is a config-tools library; reading prefixed env vars (STORM_EXTENSION_*) is core functionality, not credential harvesting. Pattern is stable across versions. | ai | |
| phantom-deps | phantom-dep:jiti | AI (phantom-deps): jiti is declared as a runtime dep and used for dynamic config file loading — a standard pattern in config libraries. Not a security concern. | ai | |
| phantom-deps | phantom-dep:giget | AI (phantom-deps): giget is a declared dep used for config scaffolding; phantom detection reflects indirect/dynamic usage pattern typical of config tooling. | ai | |
| phantom-deps | phantom-dep:sqlite | AI (phantom-deps): sqlite declared as dep; phantom detection reflects indirect usage. No security concern for a config-tools package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): date-fns declared as dep; phantom detection reflects indirect/bundled usage. No security concern. | ai |
Versions (showing 100 of 383)
| Version | Deps | Published |
|---|---|---|
| 1.190.40 | 10 / 3 | |
| 1.190.39 | 10 / 3 | |
| 1.190.38 | 10 / 3 | |
| 1.190.37 | 10 / 3 | |
| 1.190.36 | 10 / 3 | |
| 1.190.35 | 10 / 3 | |
| 1.190.34 | 10 / 3 | |
| 1.190.33 | 10 / 3 | |
| 1.190.32 | 10 / 3 | |
| 1.190.31 | 10 / 3 | |
| 1.190.30 | 10 / 3 | |
| 1.190.29 | 10 / 3 | |
| 1.190.28 | 10 / 3 | |
| 1.190.27 | 10 / 3 | |
| 1.190.26 | 10 / 3 | |
| 1.190.25 | 10 / 3 | |
| 1.190.24 | 10 / 3 | |
| 1.190.23 | 10 / 3 | |
| 1.190.22 | 10 / 3 | |
| 1.190.21 | 10 / 3 | |
| 1.190.20 | 10 / 3 | |
| 1.190.19 | 10 / 3 | |
| 1.190.18 | 10 / 3 | |
| 1.190.17 | 10 / 3 | |
| 1.190.16 | 10 / 3 | |
| 1.190.15 | 10 / 3 | |
| 1.190.14 | 10 / 3 | |
| 1.190.13 | 10 / 3 | |
| 1.190.11 | 10 / 3 | |
| 1.190.10 | 10 / 3 | |
| 1.190.9 | 10 / 3 | |
| 1.190.8 | 10 / 3 | |
| 1.190.7 | 10 / 3 | |
| 1.190.6 | 10 / 3 | |
| 1.190.5 | 10 / 3 | |
| 1.190.2 | 10 / 3 | |
| 1.190.1 | 10 / 3 | |
| 1.190.0 | 10 / 3 | |
| 1.189.78 | 10 / 3 | |
| 1.189.77 | 10 / 3 | |
| 1.189.76 | 10 / 3 | |
| 1.189.75 | 10 / 3 | |
| 1.189.74 | 10 / 3 | |
| 1.189.73 | 10 / 3 | |
| 1.189.72 | 10 / 3 | |
| 1.189.71 | 10 / 3 | |
| 1.189.70 | 10 / 3 | |
| 1.189.69 | 10 / 3 | |
| 1.189.68 | 10 / 3 | |
| 1.189.67 | 10 / 3 | |
| 1.189.66 | 10 / 3 | |
| 1.189.65 | 10 / 3 | |
| 1.189.64 | 10 / 3 | |
| 1.189.63 | 10 / 3 | |
| 1.189.62 | 11 / 2 | |
| 1.189.61 | 11 / 2 | |
| 1.189.60 | 11 / 2 | |
| 1.189.59 | 11 / 2 | |
| 1.189.58 | 11 / 2 | |
| 1.189.57 | 11 / 2 | |
| 1.189.56 | 11 / 2 | |
| 1.189.55 | 11 / 2 | |
| 1.189.54 | 11 / 2 | |
| 1.189.53 | 11 / 2 | |
| 1.189.52 | 11 / 2 | |
| 1.189.51 | 11 / 2 | |
| 1.189.50 | 11 / 2 | |
| 1.189.49 | 11 / 2 | |
| 1.189.48 | 11 / 2 | |
| 1.189.47 | 11 / 2 | |
| 1.189.46 | 11 / 2 | |
| 1.189.45 | 11 / 2 | |
| 1.189.44 | 11 / 2 | |
| 1.189.43 | 11 / 2 | |
| 1.189.42 | 11 / 2 | |
| 1.189.41 | 11 / 2 | |
| 1.189.40 | 11 / 2 | |
| 1.189.39 | 11 / 2 | |
| 1.189.38 | 11 / 2 | |
| 1.189.37 | 11 / 2 | |
| 1.189.36 | 11 / 2 | |
| 1.189.35 | 11 / 2 | |
| 1.189.34 | 11 / 2 | |
| 1.189.33 | 11 / 2 | |
| 1.189.32 | 11 / 2 | |
| 1.189.31 | 11 / 2 | |
| 1.189.30 | 11 / 2 | |
| 1.189.29 | 11 / 2 | |
| 1.189.28 | 11 / 2 | |
| 1.189.27 | 11 / 2 | |
| 1.189.26 | 11 / 2 | |
| 1.189.25 | 11 / 2 | |
| 1.189.24 | 11 / 2 | |
| 1.189.23 | 11 / 2 | |
| 1.189.22 | 11 / 2 | |
| 1.189.21 | 11 / 2 | |
| 1.189.20 | 11 / 2 | |
| 1.189.19 | 11 / 2 | |
| 1.189.18 | 11 / 2 | |
| 1.189.17 | 11 / 2 |
v1.190.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.37
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.27
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.190.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.190.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.78
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.77
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.76
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.75
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.74
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.73
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.72
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.71
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.70
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.69
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.68
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.67
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.66
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.65
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.64
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.63
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.62
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.61
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.60
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.189.59
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.