@sumup-oss/foundry
A toolkit for JavaScript + TypeScript applications by SumUp.
3
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
connor_baerfelixjungsumupbotappscisumup
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Corporate OSS toolkit from SumUp; bogus signals are noise for this package. | ai | |
| phantom-deps | phantom-dep:@biomejs/biome | AI (phantom-deps): Exposed via ./biome export; config-referenced tool, not directly imported. | ai | |
| phantom-deps | phantom-dep:stylelint-order | AI (phantom-deps): Stylelint plugin loaded via config, not direct import; expected pattern for this toolkit. | ai | |
| phantom-deps | phantom-dep:@biomejs/wasm-nodejs | AI (phantom-deps): WASM runtime dep for biome; loaded indirectly, not directly imported. | ai | |
| phantom-deps | phantom-dep:husky | AI (phantom-deps): husky is a runtime dep exposed via ./husky export; config-referenced, not directly imported. | ai | |
| phantom-deps | phantom-dep:stylelint-config-standard | AI (phantom-deps): Stylelint config dep; loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): ESLint plugin referenced in config; expected pattern for linting toolkit. | ai | |
| phantom-deps | phantom-dep:stylelint-no-unsupported-browser-features | AI (phantom-deps): Stylelint plugin loaded via config; expected pattern for this toolkit. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint parser referenced in config; expected pattern for linting toolkit. | ai |
v10.1.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.6
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.