@storm-software/tsdown No license 27 versions

@storm-software/tsdown

npm Repository Homepage

27

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

stormie-botsullivanpj

Keywords

acidiccyclone-uitsdownmonorepostormstorm-opsstorm-stacksullivanpj

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): SLSA provenance attestation present; gitHead absence is a minor metadata gap, not a supply chain risk for this publisher.	ai	2026/05/09
provenance	publisher-changed	AI (provenance): Transition from stormie-bot to GitHub Actions CI publisher; SLSA provenance attestation confirms legitimate CI/CD pipeline.	ai	2026/05/09
publish-pattern	new-deps-added	AI (publish-pattern): New deps are first-party Storm Software monorepo packages; consistent with internal refactoring pattern across 459 versions.	ai	2026/05/09
phantom-deps	phantom-dep:rolldown	AI (phantom-deps): Declared runtime dep; bundler integration, stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:commander	AI (phantom-deps): Declared runtime dep; CLI binary uses commander, stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:tsup	AI (phantom-deps): Declared runtime dep in package.json; used via config/build toolchain, not direct import.	ai	2026/04/28
phantom-deps	phantom-dep:source-map	AI (phantom-deps): Declared runtime dep; source map handling in build output, stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@storm-software/config-tools	AI (phantom-deps): Same-org dep declared in dependencies; stable false positive for this package family.	ai	2026/04/28
phantom-deps	phantom-dep:es-toolkit	AI (phantom-deps): Declared runtime dep; utility library used in build toolchain.	ai	2026/04/28
phantom-deps	phantom-dep:globby	AI (phantom-deps): Declared runtime dep; used in config/build utilities, stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): Declared runtime dep; used in watch/build toolchain, stable false positive.	ai	2026/04/28

Versions (showing 27 of 259)

Version	Deps	Published
0.31.0	11 / 9	2025-05-06
0.30.1	11 / 9	2025-05-05
0.30.0	11 / 9	2025-05-05
0.29.5	11 / 9	2025-05-05
0.29.4	11 / 9	2025-05-05
0.28.25	8 / 9	2025-04-30
0.28.24	8 / 9	2025-04-30
0.28.23	8 / 9	2025-04-30
0.28.22	8 / 9	2025-04-30
0.28.21	8 / 9	2025-04-30
0.28.20	8 / 9	2025-04-30
0.28.19	8 / 9	2025-04-30
0.28.18	8 / 9	2025-04-29
0.28.17	8 / 9	2025-04-29
0.28.16	8 / 9	2025-04-29
0.28.15	8 / 9	2025-04-29
0.28.14	8 / 9	2025-04-29
0.28.13	8 / 9	2025-04-29
0.28.12	8 / 9	2025-04-29
0.28.11	8 / 9	2025-04-29
0.28.10	8 / 9	2025-04-29
0.28.9	8 / 9	2025-04-29
0.28.8	8 / 9	2025-04-28
0.28.7	8 / 9	2025-04-28
0.28.6	8 / 9	2025-04-28
0.28.5	8 / 9	2025-04-28
0.28.4	8 / 9	2025-04-28

v0.31.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.30.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.30.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.29.5

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.29.4

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.25

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.24

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.23

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.22

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.21

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.18

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.15

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.