@tachybase/data-source — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sealdaytomyjan

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:jsonwebtoken	AI (phantom-deps): JWT library used in config/type resolution; stable false positive for this package.	ai	2026/05/30
phantom-deps	phantom-dep:@types/jsonwebtoken	AI (phantom-deps): Type package loaded by convention; stable false positive for this package.	ai	2026/05/30
phantom-deps	phantom-dep:@tachybase/cache	AI (phantom-deps): Same-org scoped dep; monorepo convention, not a real phantom dep.	ai	2026/05/30
bogus-package	bogus-package	AI (bogus-package): Monorepo sub-package; missing description/repo/keywords is a consistent pattern across all @tachybase/* packages, not a spam indicator.	ai	2026/05/26
npm-metadata	no-description	AI (npm-metadata): Stable pattern for this monorepo; not indicative of malicious intent.	ai	2026/05/26
dependencies	unvetted-dep:@tachybase/acl	AI (dependencies): Sibling monorepo package pinned to same version; coordinated release pattern.	ai	2026/05/22
dependencies	unvetted-dep:@tachybase/utils	AI (dependencies): Sibling monorepo package pinned to same version; coordinated release pattern.	ai	2026/05/22
dependencies	unvetted-dep:@tachybase/database	AI (dependencies): Sibling monorepo package pinned to same version; coordinated release pattern.	ai	2026/05/22
dependencies	unvetted-dep:@tachybase/actions	AI (dependencies): Sibling monorepo package pinned to same version; coordinated release pattern.	ai	2026/05/22
dependencies	unvetted-dep:@tachybase/resourcer	AI (dependencies): Sibling monorepo package pinned to same version; coordinated release pattern.	ai	2026/05/22

Versions (showing 51 of 100)

View all versions

Version	Deps	Published
1.6.12	8 / 7	2026-05-21
1.6.11	8 / 7	2026-05-06
1.6.10	8 / 7	2026-03-23
1.6.9	8 / 7	2026-03-18
1.6.3	8 / 7	2026-02-03
1.6.2	8 / 7	2025-12-26
1.6.1	8 / 7	2025-12-09
1.6.0	8 / 7	2025-12-05
1.3.54	8 / 7	2025-11-13
1.3.53	8 / 7	2025-11-13
1.3.52	8 / 7	2025-08-04
1.3.51	8 / 7	2025-08-04
1.3.50	8 / 7	2025-08-04
1.3.49	8 / 7	2025-08-03
1.3.48	8 / 7	2025-08-03
1.3.47	8 / 7	2025-08-03
1.3.46	8 / 7	2025-08-03
1.3.45	8 / 7	2025-08-03
1.3.44	8 / 7	2025-08-03
1.3.43	8 / 7	2025-08-02
1.3.42	8 / 7	2025-07-31
1.3.41	8 / 7	2025-07-31
1.3.40	8 / 7	2025-07-30
1.3.39	8 / 7	2025-07-29
1.3.38	8 / 7	2025-07-28
1.3.37	8 / 7	2025-07-28
1.3.36	8 / 7	2025-07-28
1.3.35	8 / 7	2025-07-28
1.3.34	11 / 7	2025-07-28
1.3.33	11 / 7	2025-07-28
1.3.32	8 / 7	2025-07-28
1.3.31	8 / 7	2025-07-28
1.3.30	8 / 7	2025-07-28
1.3.29	11 / 7	2025-07-27
1.3.28	11 / 7	2025-07-27
1.3.27	11 / 7	2025-07-27
1.3.26	11 / 7	2025-07-26
1.3.25	11 / 7	2025-07-26
1.3.24	11 / 7	2025-07-26
1.3.23	11 / 7	2025-07-26
1.3.22	11 / 7	2025-07-26
1.3.21	11 / 7	2025-07-25
1.3.20	11 / 7	2025-07-24
1.3.19	11 / 7	2025-07-17
1.3.18	11 / 7	2025-07-17
1.3.17	11 / 7	2025-07-04
1.3.16	11 / 7	2025-07-02
1.3.15	11 / 7	2025-07-01
1.3.14	11 / 7	2025-07-01
1.3.13	11 / 7	2025-06-29
1.3.12	11 / 7	2025-06-29

v1.6.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.