@stryke/env
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Low-score cosmetic signals (off-topic README, no keywords) on an established 441-day-old package with 173 versions; not indicative of spam or malice. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from stormie-bot to GitHub Actions with SLSA provenance attestation is a legitimate CI/CD pipeline improvement for the storm-software/stryke org; not a compromise indicator. | ai | |
| source-diff | obfuscated-file:dist/string-format/src/acronyms.cjs | AI (source-diff): File is a minified acronym dictionary (plain data object), not obfuscated code. Long lines are from bundling a large data file; no malicious patterns present. | ai | |
| source-diff | obfuscated-file:dist/string-format/src/acronyms.mjs | AI (source-diff): ESM variant of the same minified acronym dictionary. Fully readable data, no obfuscation or malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/environment-checks-ghgIrof1.cjs | AI (source-diff): Minified bundler output (tsdown/rollup) for environment-checks entry point. Content is legitimate env detection logic. Pattern is stable for this package's build system. | ai | |
| source-diff | obfuscated-file:dist/get-env-paths-CRQWNX3i.cjs | AI (source-diff): Minified bundler output for get-env-paths entry point. Content is an acronym dictionary and path utilities — no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/get-env-paths-DUHBXxwb.mjs | AI (source-diff): ESM variant of the same get-env-paths bundle. Identical benign content to the CJS counterpart; standard dual-format build output. | ai | |
| phantom-deps | phantom-dep:@stryke/path | AI (phantom-deps): Same-org sibling package in the storm-software/stryke monorepo; phantom dep detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@stryke/fs | AI (phantom-deps): Same-org sibling package in the storm-software/stryke monorepo; phantom dep detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@stryke/string-format | AI (phantom-deps): Same-org sibling package in the storm-software/stryke monorepo; phantom dep detection is a false positive for intra-monorepo dependencies. | ai | |
| phantom-deps | phantom-dep:@stryke/convert | AI (phantom-deps): Same-org sibling package in the storm-software/stryke monorepo; phantom dep detection is a false positive for intra-monorepo dependencies. | ai | |
| dependencies | unvetted-dep:@stryke/fs | AI (dependencies): Same-org sibling package from the storm-software/stryke monorepo; not an external unvetted dependency. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @stryke monorepo package; Levenshtein match to 'ajv' is coincidental. Package is an env utility with no relation to ajv's JSON schema validation domain. | ai |
Versions (showing 51 of 168)
| Version | Deps | Published |
|---|---|---|
| 0.20.102 | 6 / 2 | |
| 0.20.101 | 6 / 2 | |
| 0.20.100 | 6 / 2 | |
| 0.20.99 | 6 / 2 | |
| 0.20.98 | 6 / 2 | |
| 0.20.97 | 6 / 2 | |
| 0.20.96 | 6 / 2 | |
| 0.20.95 | 6 / 2 | |
| 0.20.94 | 6 / 2 | |
| 0.20.93 | 6 / 2 | |
| 0.20.92 | 6 / 2 | |
| 0.20.91 | 6 / 2 | |
| 0.20.90 | 6 / 2 | |
| 0.20.89 | 6 / 2 | |
| 0.20.88 | 6 / 2 | |
| 0.20.87 | 6 / 2 | |
| 0.20.86 | 6 / 2 | |
| 0.20.85 | 6 / 2 | |
| 0.20.84 | 6 / 2 | |
| 0.20.83 | 6 / 2 | |
| 0.20.82 | 6 / 2 | |
| 0.20.81 | 6 / 2 | |
| 0.20.80 | 6 / 2 | |
| 0.20.79 | 6 / 2 | |
| 0.20.78 | 6 / 2 | |
| 0.20.77 | 6 / 2 | |
| 0.20.76 | 6 / 2 | |
| 0.20.75 | 6 / 2 | |
| 0.20.74 | 6 / 2 | |
| 0.20.73 | 6 / 2 | |
| 0.20.72 | 6 / 2 | |
| 0.20.71 | 6 / 2 | |
| 0.20.70 | 6 / 2 | |
| 0.20.67 | 6 / 2 | |
| 0.20.66 | 6 / 2 | |
| 0.20.65 | 6 / 2 | |
| 0.20.64 | 6 / 2 | |
| 0.20.63 | 6 / 2 | |
| 0.20.62 | 6 / 2 | |
| 0.20.61 | 6 / 2 | |
| 0.20.60 | 6 / 2 | |
| 0.20.59 | 6 / 2 | |
| 0.20.57 | 6 / 2 | |
| 0.20.56 | 6 / 2 | |
| 0.20.55 | 6 / 2 | |
| 0.20.54 | 6 / 2 | |
| 0.20.53 | 6 / 2 | |
| 0.20.52 | 6 / 2 | |
| 0.20.51 | 6 / 2 | |
| 0.20.50 | 6 / 2 | |
| 0.20.49 | 6 / 2 |
v0.20.102
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.101
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.100
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.99
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.98
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.97
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.96
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.95
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.94
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-25, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.20.93
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.91
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.90
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.89
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.88
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.86
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.85
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.84
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.83
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.82
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.