@teambit/bit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | rapid-publish | AI (publish-pattern): teambit/bit releases frequently via automation; rapid successive publishes are the normal pattern for this package. | ai | |
| dependencies | unvetted-dep:@teambit/internalize | AI (dependencies): Same-org @teambit/* dep consistent with this package's established pattern of internal teambit dependencies. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with homepage and keywords; missing description is cosmetic. | ai | |
| provenance | no-provenance | AI (provenance): Teambit has 704 approved packages without provenance; consistent publishing pattern. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.bit-map | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.analytics | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope-api | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/bit.get-bit-version | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/design.ui.brand.logo | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/base-react.navigation.link | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/scope.modules.find-scope-path | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.modules.workspace-locator | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/ui-foundation.ui.navigation.react-router-adapter | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-config | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@lydell/node-pty | AI (dependencies): Internal/ecosystem dep for terminal support; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.loader | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Same-org @teambit/* internal dependency; expected for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@teambit/base-react.navigation.link | AI (phantom-deps): Same org scope; loaded by convention in Bit's component system. | ai | |
| phantom-deps | phantom-dep:@teambit/ui-foundation.ui.navigation.react-router-adapter | AI (phantom-deps): Same org scope; loaded by convention in Bit's component system. | ai | |
| phantom-deps | phantom-dep:@yarnpkg/plugin-pack | AI (phantom-deps): Config-file reference in a large monorepo CLI tool; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-router-dom | AI (phantom-deps): UI routing dep in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:mz | AI (phantom-deps): Large monorepo CLI; phantom deps are config-referenced polyfills/peer deps, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): Browser polyfill declared for bundler config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Known implicit runtime dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): Config-referenced peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): Config-referenced build dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Browser polyfill in bundler config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@swc/css | AI (phantom-deps): Config-referenced optional CSS processor; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Peer/UI dep referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build toolchain dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@parcel/css | AI (phantom-deps): Config-referenced CSS processor; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework type dep loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@yarnpkg/cli | AI (phantom-deps): Yarn integration dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:browserslist | AI (phantom-deps): Build config dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:lightningcss | AI (phantom-deps): Optional CSS processor in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@yarnpkg/core | AI (phantom-deps): Yarn integration dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:monaco-editor | AI (phantom-deps): UI editor dep referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@apollo/client | AI (phantom-deps): GraphQL client dep in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Framework type dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): Known implicit runtime dep for decorators; stable false positive. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): @teambit/bit is the canonical Bit platform package; not a typosquat of got. | ai | |
| typosquat | typosquat.levenshtein:vite | AI (typosquat): @teambit/bit is the canonical Bit platform package; not a typosquat of vite. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.13.209 | 165 / 6 | |
| 1.13.205 | 165 / 6 | |
| 1.13.197 | 164 / 6 | |
| 1.13.194 | 164 / 6 | |
| 1.13.193 | 164 / 6 | |
| 1.13.176 | 164 / 6 | |
| 1.13.165 | 164 / 6 | |
| 1.13.164 | 164 / 6 | |
| 1.13.163 | 164 / 6 | |
| 1.13.161 | 164 / 6 | |
| 1.13.153 | 164 / 6 | |
| 1.13.32 | 163 / 6 | |
| 1.13.16 | 163 / 6 | |
| 1.12.208 | 163 / 6 | |
| 1.12.207 | 163 / 6 | |
| 1.12.206 | 163 / 6 | |
| 1.12.197 | 163 / 6 | |
| 1.12.157 | 163 / 6 | |
| 1.12.147 | 162 / 6 | |
| 1.12.140 | 161 / 6 | |
| 1.12.111 | 161 / 6 | |
| 1.12.76 | 161 / 6 | |
| 1.12.69 | 161 / 6 | |
| 1.12.37 | 161 / 6 | |
| 1.12.36 | 161 / 6 | |
| 1.12.27 | 161 / 6 | |
| 1.12.4 | 161 / 6 | |
| 1.11.21 | 160 / 6 | |
| 1.10.8 | 159 / 6 | |
| 1.10.6 | 158 / 6 | |
| 1.10.2 | 158 / 6 |
v1.13.209
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.205
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.197
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.194
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.193
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.176
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.165
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.164
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.163
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.153
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.208
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.207
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.206
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.197
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.157
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.147
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.140
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.111
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.76
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.