@strapi/email
Easily configure your Strapi application to send emails.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Strapi monorepo; version gaps are common across its many packages. Publisher track record is strong. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): bassel17 added to a large, active Strapi org package; consistent with org team expansion, not takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): zod is a well-established validation library; addition is consistent with Strapi's validation patterns. | ai | |
| provenance | no-provenance | AI (provenance): @strapi/email is a well-established Strapi core package with 1100 versions and 121k weekly downloads; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE | AI (license): Standard Strapi license declaration pattern referencing their custom LICENSE file; consistent across all Strapi packages. | ai | |
| dependencies | unvetted-dep:@strapi/icons | AI (dependencies): First-party Strapi package from the same monorepo; no security concern. | ai | |
| dependencies | unvetted-dep:react-query | AI (dependencies): react-query 3.39.3 is a widely-used, stable React data-fetching library with no known security issues; standard dependency for Strapi admin UI. | ai | |
| dependencies | unvetted-dep:@strapi/design-system | AI (dependencies): First-party Strapi design system package from the same monorepo; no security concern. | ai | |
| dependencies | unvetted-dep:koa2-ratelimit | AI (dependencies): Standard Koa rate-limiting middleware; legitimate and expected dependency for an email plugin with rate-limiting functionality. | ai | |
| phantom-deps | phantom-dep:@strapi/provider-email-sendmail | AI (phantom-deps): This is the default email provider for Strapi, dynamically loaded as a plugin. Not being directly imported in source is expected for Strapi's plugin architecture. | ai | |
| bogus-package | bogus-package | AI (bogus-package): @strapi/email is a core Strapi plugin with 1100 versions and 122k weekly downloads. Short README and no keywords are cosmetic issues, not spam indicators. | ai |
Versions (showing 51 of 64)
| Version | Deps | Published |
|---|---|---|
| 5.47.1 | 10 / 11 | |
| 5.47.0 | 10 / 11 | |
| 5.46.1 | 10 / 11 | |
| 5.46.0 | 10 / 11 | |
| 5.45.1 | 10 / 12 | |
| 5.45.0 | 10 / 12 | |
| 5.44.0 | 10 / 12 | |
| 5.43.0 | 10 / 12 | |
| 5.42.1 | 10 / 12 | |
| 5.42.0 | 10 / 12 | |
| 5.41.1 | 10 / 12 | |
| 5.41.0 | 10 / 12 | |
| 5.40.0 | 10 / 12 | |
| 5.39.0 | 10 / 12 | |
| 5.38.1 | 10 / 12 | |
| 5.38.0 | 10 / 12 | |
| 5.37.1 | 10 / 12 | |
| 5.37.0 | 10 / 12 | |
| 5.36.1 | 10 / 12 | |
| 5.36.0 | 10 / 12 | |
| 5.35.0 | 10 / 12 | |
| 5.34.0 | 10 / 12 | |
| 5.33.4 | 10 / 12 | |
| 5.33.3 | 10 / 12 | |
| 5.33.2 | 10 / 12 | |
| 5.33.1 | 10 / 12 | |
| 5.33.0 | 10 / 12 | |
| 5.32.0 | 10 / 12 | |
| 5.31.3 | 10 / 12 | |
| 5.31.2 | 10 / 12 | |
| 5.31.1 | 10 / 12 | |
| 5.31.0 | 10 / 12 | |
| 5.30.1 | 10 / 12 | |
| 5.30.0 | 10 / 12 | |
| 5.29.0 | 10 / 12 | |
| 5.28.0 | 10 / 12 | |
| 5.27.0 | 10 / 12 | |
| 5.26.0 | 10 / 12 | |
| 5.25.0 | 10 / 12 | |
| 5.24.2 | 10 / 12 | |
| 5.24.1 | 10 / 12 | |
| 5.24.0 | 10 / 12 | |
| 5.23.6 | 10 / 12 | |
| 5.23.5 | 10 / 12 | |
| 5.23.4 | 10 / 12 | |
| 5.23.3 | 10 / 12 | |
| 5.23.2 | 10 / 12 | |
| 5.23.1 | 10 / 12 | |
| 5.23.0 | 10 / 12 | |
| 5.22.0 | 10 / 12 | |
| 5.21.0 | 10 / 12 |
v5.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.38.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.23.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.