@syntrologie/adapt-overlays

Adaptive Overlays app - Visual overlays for tooltips, highlights, badges, and pulses

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

syntrologie-eng

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	rapid-publish	AI (publish-pattern): High-frequency automated publishing is the norm for this org (350 versions); rapid publishes with no material changes are expected CI behavior.	ai	2026/05/22
phantom-deps	phantom-dep:@syntrologie/shared-editor-ui	AI (phantom-deps): Bundled dependency; declared in bundledDependencies for build-time inclusion, not runtime import.	ai	2026/05/06
phantom-deps	phantom-dep:@syntro/design-system	AI (phantom-deps): Bundled dependency; declared in bundledDependencies for build-time inclusion, not runtime import.	ai	2026/05/06
dependencies	unvetted-dep:@syntrologie/shared-editor-ui	AI (dependencies): Internal Syntrologie shared editor UI package listed as a bundledDependency; wildcard version is standard monorepo practice for same-org packages.	ai	2026/04/26
dependencies	unvetted-dep:@syntro/design-system	AI (dependencies): Internal Syntrologie design system package listed as a bundledDependency; resolved within the monorepo at build time, not a third-party unknown.	ai	2026/04/26
dependencies	unvetted-dep:@syntrologie/sdk-contracts	AI (dependencies): Internal Syntrologie SDK contracts package listed as a bundledDependency; wildcard version is standard monorepo practice for same-org packages.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Proprietary org package; lack of Sigstore provenance is common and not a disqualifying signal for this publisher.	ai	2026/04/25
dependencies	unvetted-dep:lit	AI (dependencies): lit is Google's well-known web components library; pinned to 3.3.2. Not a security risk for this package.	ai	2026/04/25

Versions (showing 13 of 13)

Version	Deps	Published
2.25.0	5 / 9	2026-05-19
2.24.2	5 / 9	2026-05-18
2.24.1	5 / 9	2026-05-18
2.20.0	5 / 9	2026-05-07
2.19.0	5 / 9	2026-05-06
2.16.0	5 / 13	2026-04-24
2.15.0	5 / 13	2026-04-23
2.14.0	4 / 11	2026-04-15
2.13.0	4 / 11	2026-04-09
2.12.0	4 / 11	2026-04-09
2.1.0	3 / 10	2026-02-17
2.0.1	1 / 9	2026-02-14
1.0.0	1 / 9	2026-02-14

v2.25.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.24.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.24.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.20.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.19.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.15.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.14.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.13.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.12.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.