@symbo.ls/sync
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@symbo.ls/init | AI (dependencies): Same-org sibling dep in a monorepo; version-locked to matching release. | ai | |
| dependencies | unvetted-dep:@symbo.ls/uikit | AI (dependencies): Same-org sibling dep in a monorepo; version-locked to matching release. | ai | |
| dependencies | unvetted-dep:@symbo.ls/socket | AI (dependencies): Same-org sibling dep in a monorepo; version-locked to matching release. | ai | |
| typosquat | typosquat.levenshtein:async | AI (typosquat): Scoped org package @symbo.ls/sync; similarity to 'async' is coincidental, not impersonation. | ai | |
| phantom-deps | phantom-dep:@symbo.ls/scratch | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic is a stable false positive for this monorepo package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 3.14.0 | 8 / 1 | |
| 2.33.38 | 7 / 1 | |
| 2.33.13 | 7 / 1 | |
| 2.33.3 | 7 / 1 | |
| 2.32.28 | 7 / 1 | |
| 2.32.15 | 7 / 1 | |
| 2.32.14 | 7 / 1 | |
| 2.32.13 | 7 / 1 | |
| 2.32.11 | 7 / 1 | |
| 2.32.10 | 7 / 1 | |
| 2.32.9 | 7 / 1 | |
| 2.32.7 | 7 / 1 |
v3.14.0
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.33.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.32.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.32.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.32.14
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.13
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.11
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.10
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.9
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.32.7
2 findingsPackage name '@symbo.ls/sync' is 1 edit(s) away from popular package 'async'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.