@storm-software/pnpm-tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:prettier-plugin-pkg | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-esm-node-path | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-better-defaults | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README quality issues in a monorepo tooling package; not indicative of spam or malice. | ai | |
| phantom-deps | phantom-dep:@storm-software/config | AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic unreliable for bundled monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing process.env to child_process.exec is standard; env is scoped and not exfiltrated. | ai | |
| phantom-deps | phantom-dep:@storm-software/npm-tools | AI (phantom-deps): Same-org dep; declared as runtime dependency and used transitively. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-packagejson | AI (phantom-deps): Referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@storm-software/package-constants | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): pnpm CLI wrapper legitimately uses child_process to run pnpm commands. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only STORM_EXTENSION_* prefixed keys; scoped config pattern, not exfiltration. | ai |
Versions (showing 51 of 120)
| Version | Deps | Published |
|---|---|---|
| 0.7.51 | 11 / 3 | |
| 0.7.50 | 11 / 3 | |
| 0.7.49 | 11 / 3 | |
| 0.7.48 | 11 / 3 | |
| 0.7.47 | 11 / 3 | |
| 0.7.46 | 11 / 3 | |
| 0.7.45 | 11 / 3 | |
| 0.7.44 | 11 / 3 | |
| 0.7.43 | 11 / 3 | |
| 0.7.42 | 11 / 3 | |
| 0.7.41 | 11 / 3 | |
| 0.7.40 | 11 / 3 | |
| 0.7.39 | 11 / 3 | |
| 0.7.38 | 11 / 3 | |
| 0.7.37 | 11 / 3 | |
| 0.7.36 | 11 / 3 | |
| 0.7.35 | 11 / 3 | |
| 0.7.34 | 11 / 3 | |
| 0.7.33 | 11 / 3 | |
| 0.7.32 | 11 / 3 | |
| 0.7.31 | 11 / 3 | |
| 0.7.30 | 11 / 3 | |
| 0.7.29 | 11 / 3 | |
| 0.7.28 | 11 / 3 | |
| 0.7.27 | 11 / 3 | |
| 0.7.26 | 11 / 3 | |
| 0.7.25 | 11 / 3 | |
| 0.7.24 | 11 / 3 | |
| 0.7.23 | 11 / 3 | |
| 0.7.21 | 11 / 3 | |
| 0.7.20 | 11 / 3 | |
| 0.7.19 | 11 / 3 | |
| 0.7.18 | 11 / 3 | |
| 0.7.17 | 11 / 3 | |
| 0.7.16 | 11 / 3 | |
| 0.7.15 | 11 / 3 | |
| 0.7.12 | 11 / 3 | |
| 0.7.11 | 11 / 3 | |
| 0.7.10 | 11 / 3 | |
| 0.7.9 | 11 / 3 | |
| 0.7.8 | 11 / 3 | |
| 0.7.7 | 10 / 3 | |
| 0.7.6 | 10 / 3 | |
| 0.7.5 | 10 / 3 | |
| 0.7.4 | 10 / 3 | |
| 0.7.3 | 10 / 3 | |
| 0.7.2 | 10 / 3 | |
| 0.7.1 | 10 / 3 | |
| 0.7.0 | 10 / 3 | |
| 0.6.156 | 10 / 3 | |
| 0.6.155 | 10 / 3 |
v0.7.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.37
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.7.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.6
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/storm-software/storm-ops/blob/53d2ed234e902be71b97a3f927d2613f1a15731f/bin/pnpm.cjs#L1368 1366 | return (0, import_node_child_process.exec)(command, { 1367 | cwd, > 1368 | env: { 1369 | ...process.env, 1370 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/storm-software/storm-ops/blob/53d2ed234e902be71b97a3f927d2613f1a15731f/bin/pnpm.js#L1346 1344 | return exec(command, { 1345 | cwd, > 1346 | env: { 1347 | ...process.env, 1348 | ...env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.156
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.155
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.