@storm-software/pnpm-tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:prettier-plugin-pkg | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-esm-node-path | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-better-defaults | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README quality issues in a monorepo tooling package; not indicative of spam or malice. | ai | |
| phantom-deps | phantom-dep:@storm-software/config | AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic unreliable for bundled monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing process.env to child_process.exec is standard; env is scoped and not exfiltrated. | ai | |
| phantom-deps | phantom-dep:@storm-software/npm-tools | AI (phantom-deps): Same-org dep; declared as runtime dependency and used transitively. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-packagejson | AI (phantom-deps): Referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@storm-software/package-constants | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): pnpm CLI wrapper legitimately uses child_process to run pnpm commands. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only STORM_EXTENSION_* prefixed keys; scoped config pattern, not exfiltration. | ai |
Versions (showing 100 of 120)
| Version | Deps | Published |
|---|---|---|
| 0.7.51 | 11 / 3 | |
| 0.7.50 | 11 / 3 | |
| 0.7.49 | 11 / 3 | |
| 0.7.48 | 11 / 3 | |
| 0.7.47 | 11 / 3 | |
| 0.7.46 | 11 / 3 | |
| 0.7.45 | 11 / 3 | |
| 0.7.44 | 11 / 3 | |
| 0.7.43 | 11 / 3 | |
| 0.7.42 | 11 / 3 | |
| 0.7.41 | 11 / 3 | |
| 0.7.40 | 11 / 3 | |
| 0.7.39 | 11 / 3 | |
| 0.7.38 | 11 / 3 | |
| 0.7.37 | 11 / 3 | |
| 0.7.36 | 11 / 3 | |
| 0.7.35 | 11 / 3 | |
| 0.7.34 | 11 / 3 | |
| 0.7.33 | 11 / 3 | |
| 0.7.32 | 11 / 3 | |
| 0.7.31 | 11 / 3 | |
| 0.7.30 | 11 / 3 | |
| 0.7.29 | 11 / 3 | |
| 0.7.28 | 11 / 3 | |
| 0.7.27 | 11 / 3 | |
| 0.7.26 | 11 / 3 | |
| 0.7.25 | 11 / 3 | |
| 0.7.24 | 11 / 3 | |
| 0.7.23 | 11 / 3 | |
| 0.7.21 | 11 / 3 | |
| 0.7.20 | 11 / 3 | |
| 0.7.19 | 11 / 3 | |
| 0.7.18 | 11 / 3 | |
| 0.7.17 | 11 / 3 | |
| 0.7.16 | 11 / 3 | |
| 0.7.15 | 11 / 3 | |
| 0.7.12 | 11 / 3 | |
| 0.7.11 | 11 / 3 | |
| 0.7.10 | 11 / 3 | |
| 0.7.9 | 11 / 3 | |
| 0.7.8 | 11 / 3 | |
| 0.7.7 | 10 / 3 | |
| 0.7.6 | 10 / 3 | |
| 0.7.5 | 10 / 3 | |
| 0.7.4 | 10 / 3 | |
| 0.7.3 | 10 / 3 | |
| 0.7.2 | 10 / 3 | |
| 0.7.1 | 10 / 3 | |
| 0.7.0 | 10 / 3 | |
| 0.6.156 | 10 / 3 | |
| 0.6.155 | 10 / 3 | |
| 0.6.154 | 10 / 3 | |
| 0.6.153 | 10 / 3 | |
| 0.6.152 | 9 / 4 | |
| 0.6.151 | 9 / 4 | |
| 0.6.150 | 9 / 4 | |
| 0.6.149 | 9 / 4 | |
| 0.6.148 | 9 / 4 | |
| 0.6.147 | 9 / 4 | |
| 0.6.146 | 9 / 4 | |
| 0.6.145 | 9 / 3 | |
| 0.6.144 | 9 / 3 | |
| 0.6.143 | 9 / 3 | |
| 0.6.142 | 9 / 3 | |
| 0.6.141 | 9 / 3 | |
| 0.6.140 | 9 / 3 | |
| 0.6.139 | 9 / 3 | |
| 0.6.138 | 9 / 3 | |
| 0.6.137 | 9 / 3 | |
| 0.6.136 | 9 / 3 | |
| 0.6.135 | 9 / 3 | |
| 0.6.134 | 9 / 3 | |
| 0.6.133 | 9 / 3 | |
| 0.6.132 | 9 / 3 | |
| 0.6.131 | 9 / 3 | |
| 0.6.130 | 9 / 3 | |
| 0.6.129 | 9 / 3 | |
| 0.6.128 | 9 / 3 | |
| 0.6.127 | 9 / 3 | |
| 0.6.126 | 9 / 3 | |
| 0.6.125 | 9 / 3 | |
| 0.6.124 | 9 / 3 | |
| 0.6.123 | 9 / 3 | |
| 0.6.122 | 9 / 3 | |
| 0.6.121 | 9 / 3 | |
| 0.6.120 | 9 / 3 | |
| 0.6.119 | 9 / 3 | |
| 0.6.118 | 9 / 3 | |
| 0.6.117 | 9 / 3 | |
| 0.6.116 | 9 / 3 | |
| 0.6.115 | 9 / 3 | |
| 0.6.114 | 9 / 3 | |
| 0.6.113 | 9 / 3 | |
| 0.6.112 | 9 / 3 | |
| 0.6.111 | 9 / 3 | |
| 0.6.110 | 9 / 3 | |
| 0.6.109 | 9 / 3 | |
| 0.6.108 | 9 / 3 | |
| 0.6.107 | 9 / 3 | |
| 0.6.106 | 9 / 3 |
v0.7.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.37
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.7.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.6
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/storm-software/storm-ops/blob/53d2ed234e902be71b97a3f927d2613f1a15731f/bin/pnpm.cjs#L1368 1366 | return (0, import_node_child_process.exec)(command, { 1367 | cwd, > 1368 | env: { 1369 | ...process.env, 1370 | ...env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/storm-software/storm-ops/blob/53d2ed234e902be71b97a3f927d2613f1a15731f/bin/pnpm.js#L1346 1344 | return exec(command, { 1345 | cwd, > 1346 | env: { 1347 | ...process.env, 1348 | ...env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.156
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.155
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.154
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.153
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.152
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.151
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.150
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.149
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.148
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.147
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.146
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.145
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.144
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.143
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.142
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.141
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.140
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.139
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.138
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.137
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.136
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.135
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.134
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.133
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.132
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.131
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.130
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.129
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.128
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.127
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.126
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.125
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.124
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.123
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.122
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.121
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.120
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.119
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.118
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.117
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.116
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.115
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.114
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.113
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.112
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.111
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.110
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.109
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.108
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.107
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.106
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.