← Home

@storm-software/config-tools

npm Repository Homepage
100
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

stormie-botsullivanpj

Keywords

storm-softwarestormstorm-opssullivanpjmonorepoconfig

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Publisher changed from stormie-bot to GitHub Actions with SLSA provenance attestation; this is a legitimate CI/CD pipeline transition for this monorepo package, not a compromise signal. ai
semgrep semgrep:env-bulk-read AI (semgrep): This is a config-tools library; reading prefixed env vars (STORM_EXTENSION_*) is core functionality, not credential harvesting. Pattern is stable across versions. ai
phantom-deps phantom-dep:jiti AI (phantom-deps): jiti is declared as a runtime dep and used for dynamic config file loading — a standard pattern in config libraries. Not a security concern. ai
phantom-deps phantom-dep:giget AI (phantom-deps): giget is a declared dep used for config scaffolding; phantom detection reflects indirect/dynamic usage pattern typical of config tooling. ai
phantom-deps phantom-dep:sqlite AI (phantom-deps): sqlite declared as dep; phantom detection reflects indirect usage. No security concern for a config-tools package. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): date-fns declared as dep; phantom detection reflects indirect/bundled usage. No security concern. ai

Versions (showing 100 of 412)

Version Deps Published
1.189.16 11 / 2
1.189.15 11 / 2
1.189.14 11 / 2
1.189.13 11 / 2
1.189.12 11 / 2
1.189.11 11 / 2
1.189.10 11 / 2
1.189.9 11 / 2
1.189.8 11 / 2
1.189.7 11 / 2
1.189.6 11 / 2
1.189.5 11 / 2
1.189.4 11 / 2
1.189.3 11 / 2
1.189.2 11 / 2
1.189.1 11 / 2
1.189.0 11 / 2
1.188.80 11 / 2
1.188.79 11 / 2
1.188.78 11 / 2
1.188.77 11 / 2
1.188.76 11 / 2
1.188.75 11 / 2
1.188.74 11 / 2
1.188.73 11 / 2
1.188.72 11 / 2
1.188.71 11 / 2
1.188.70 11 / 2
1.188.69 11 / 2
1.188.68 11 / 2
1.188.67 11 / 2
1.188.66 11 / 2
1.188.65 11 / 2
1.188.64 11 / 2
1.188.63 11 / 2
1.188.62 11 / 2
1.188.61 11 / 2
1.188.60 11 / 2
1.188.59 11 / 2
1.188.58 11 / 2
1.188.57 11 / 2
1.188.56 11 / 2
1.188.55 11 / 2
1.188.54 11 / 2
1.188.53 11 / 2
1.188.52 11 / 2
1.188.51 11 / 2
1.188.50 11 / 2
1.188.49 11 / 2
1.188.48 11 / 2
1.188.47 11 / 2
1.188.46 11 / 2
1.188.45 11 / 2
1.188.44 11 / 2
1.188.43 11 / 2
1.188.42 11 / 2
1.188.41 11 / 2
1.188.40 11 / 2
1.188.39 11 / 2
1.188.38 10 / 2
1.188.37 10 / 2
1.188.36 10 / 2
1.188.35 10 / 2
1.188.34 10 / 2
1.188.33 10 / 2
1.188.32 10 / 2
1.188.31 10 / 2
1.188.30 10 / 2
1.188.29 10 / 2
1.188.28 10 / 2
1.188.27 10 / 2
1.188.26 10 / 2
1.188.25 10 / 2
1.188.24 10 / 2
1.188.23 10 / 2
1.188.22 10 / 2
1.188.21 10 / 2
1.188.20 10 / 2
1.188.19 10 / 2
1.188.18 10 / 2
1.188.16 10 / 2
1.188.15 10 / 2
1.188.14 10 / 2
1.188.13 10 / 2
1.188.12 10 / 2
1.188.11 10 / 2
1.188.10 10 / 2
1.188.9 10 / 2
1.188.8 10 / 2
1.188.7 10 / 2
1.188.6 10 / 2
1.188.5 10 / 2
1.188.4 10 / 2
1.188.3 10 / 2
1.188.2 10 / 2
1.188.1 10 / 2
1.188.0 10 / 2
1.187.15 10 / 2
1.187.14 10 / 2
1.187.13 10 / 2
Showing 100 of 412 Next page →

v1.188.58

2 findings
HIGH Publisher changed: stormie-bot → GitHub Actions (on 2025-12-06) provenance

This version was published by a different npm account than previous versions on 2025-12-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.37

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.188.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.187.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.187.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.187.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.