@strapi/generators
Interactive API generator.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): handlebars is a well-known templating lib, pinned at 4.7.7, appropriate for a code-generator package. | ai | |
| phantom-deps | phantom-dep:copyfiles | AI (phantom-deps): copyfiles is listed in dependencies and used in build scripts (copy-files script). Not a true phantom dependency for this package. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a widely-used templating library; appropriate dependency for a code generator package. | ai | |
| provenance | publisher-changed | AI (provenance): alexandrebodin is a long-standing Strapi org maintainer (3230 days, 12955 approved). Rotation among Strapi team members is normal. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Gap reflects v4→v5 major version transition; @strapi/generators was restructured and resumed publishing under v5. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is listed as a runtime dependency in package.json for @strapi/generators; phantom-dep flag is a tooling artifact, not a real risk for this package. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE | AI (license): Standard Strapi license declaration referencing their LICENSE file; consistent across all Strapi monorepo packages. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 5.46.0 | 10 / 6 | |
| 5.45.1 | 10 / 6 | |
| 5.45.0 | 10 / 6 | |
| 5.44.0 | 10 / 6 | |
| 5.43.0 | 10 / 6 | |
| 5.41.0 | 10 / 6 | |
| 5.35.0 | 11 / 5 | |
| 5.31.2 | 11 / 5 | |
| 5.30.1 | 11 / 5 | |
| 5.30.0 | 9 / 3 | |
| 5.23.6 | 9 / 3 | |
| 5.19.0 | 9 / 3 | |
| 5.18.0 | 9 / 3 | |
| 5.17.0 | 9 / 3 | |
| 5.16.1 | 9 / 3 | |
| 5.16.0 | 9 / 3 | |
| 5.15.1 | 9 / 3 | |
| 5.15.0 | 9 / 3 | |
| 5.14.0 | 9 / 3 | |
| 5.13.1 | 9 / 3 | |
| 5.13.0 | 9 / 3 | |
| 5.12.7 | 9 / 3 | |
| 4.26.1 | 9 / 3 | |
| 4.26.0 | 9 / 3 |
v5.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.31.2
2 findingsThis version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.30.1
2 findingsThis version was published by a different npm account than previous versions on 2025-11-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.30.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.26.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.