@teambit/api-server
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a well-known, widely-used package; legitimate dependency for an API server component. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): teambit publishes many coordinated packages in rapid succession via CI; this is a stable pattern across 2321+ versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): express is a natural dependency for an api-server package; addition is contextually appropriate. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.loader | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/scope.network | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.network.get-port | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.feature-toggle | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.modules.component-url | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.send-server-sent-events | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.modules.merge-helper | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/lane-id | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| provenance | no-provenance | AI (provenance): teambit publishes hundreds of packages without provenance; consistent across all versions. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Stable pattern across all @teambit/* scoped packages; not a malware signal here. | ai | |
| phantom-deps | phantom-dep:@teambit/component.modules.merge-helper | AI (phantom-deps): Same-org @teambit scope dependency; phantom-dep heuristic unreliable for Bit's component-based monorepo structure. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 1.0.1036 | 49 / 8 | |
| 1.0.1025 | 49 / 8 | |
| 1.0.1017 | 49 / 8 | |
| 1.0.1010 | 49 / 8 | |
| 1.0.1009 | 49 / 8 | |
| 1.0.1008 | 49 / 8 | |
| 1.0.1007 | 49 / 8 | |
| 1.0.1006 | 49 / 8 | |
| 1.0.1005 | 49 / 8 | |
| 1.0.1004 | 49 / 8 | |
| 1.0.998 | 49 / 8 | |
| 1.0.996 | 48 / 7 | |
| 1.0.995 | 48 / 7 | |
| 1.0.994 | 48 / 7 | |
| 1.0.992 | 48 / 7 | |
| 1.0.991 | 48 / 7 | |
| 1.0.973 | 48 / 7 | |
| 1.0.971 | 48 / 7 | |
| 1.0.967 | 48 / 7 | |
| 1.0.965 | 48 / 7 | |
| 1.0.963 | 48 / 7 | |
| 1.0.960 | 48 / 7 | |
| 1.0.953 | 48 / 7 | |
| 1.0.949 | 48 / 7 | |
| 1.0.948 | 48 / 7 | |
| 1.0.947 | 48 / 7 | |
| 1.0.867 | 47 / 7 | |
| 1.0.786 | 48 / 8 | |
| 1.0.717 | 47 / 7 |
v1.0.1036
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1025
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1017
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1010
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1009
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1008
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1007
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1006
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1005
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1004
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.998
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.996
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.995
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.994
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.991
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.973
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.971
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.967
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.965
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.963
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.960
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.953
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.949
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.948
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.947
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.867
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.786
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.717
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.