@storm-software/pnpm-tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:prettier-plugin-pkg | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-esm-node-path | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-better-defaults | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README quality issues in a monorepo tooling package; not indicative of spam or malice. | ai | |
| phantom-deps | phantom-dep:@storm-software/config | AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic unreliable for bundled monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing process.env to child_process.exec is standard; env is scoped and not exfiltrated. | ai | |
| phantom-deps | phantom-dep:@storm-software/npm-tools | AI (phantom-deps): Same-org dep; declared as runtime dependency and used transitively. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-packagejson | AI (phantom-deps): Referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@storm-software/package-constants | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): pnpm CLI wrapper legitimately uses child_process to run pnpm commands. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only STORM_EXTENSION_* prefixed keys; scoped config pattern, not exfiltration. | ai |
Versions (showing 20 of 149)
| Version | Deps | Published |
|---|---|---|
| 0.6.105 | 9 / 3 | |
| 0.6.104 | 9 / 3 | |
| 0.6.103 | 9 / 3 | |
| 0.6.102 | 9 / 3 | |
| 0.6.101 | 9 / 3 | |
| 0.6.100 | 9 / 3 | |
| 0.6.99 | 9 / 3 | |
| 0.6.98 | 9 / 3 | |
| 0.6.97 | 9 / 3 | |
| 0.6.96 | 9 / 3 | |
| 0.6.95 | 9 / 3 | |
| 0.6.94 | 9 / 3 | |
| 0.6.93 | 9 / 3 | |
| 0.6.92 | 9 / 3 | |
| 0.6.91 | 9 / 3 | |
| 0.6.90 | 9 / 3 | |
| 0.6.89 | 9 / 3 | |
| 0.6.14 | 11 / 3 | |
| 0.5.6 | 11 / 3 | |
| 0.5.5 | 11 / 3 |
v0.6.105
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.104
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.103
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.102
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.101
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.100
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.99
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.98
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.97
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.96
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.95
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.94
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.93
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.91
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.90
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.89
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.