@teambit/ci
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@teambit/legacy.consumer-component | AI (phantom-deps): Same-org @teambit scope; declared dep, likely used transitively or via re-export pattern. | ai | |
| phantom-deps | phantom-dep:@teambit/lane-id | AI (phantom-deps): Same-org @teambit scope; declared dep, likely used transitively or via re-export pattern. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are first-party @teambit packages from the same org; low risk for this publisher. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): teambit-owner has 882 approved packages; maintainer rotation within the org is expected. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with 1519 versions; missing description is metadata gap, not malware indicator. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is infrastructure choice; not a security disqualifier for established packages. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.string.random | AI (dependencies): First-party @teambit sibling dep; stable pattern. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): First-party @teambit sibling dep from the teambit/bit monorepo; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): First-party @teambit sibling dep; stable pattern. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): First-party @teambit sibling dep; stable pattern. | ai | |
| dependencies | unvetted-dep:@teambit/component.modules.merge-helper | AI (dependencies): First-party @teambit sibling dep; stable pattern. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @teambit package; Levenshtein match against 'pg' is a false positive. | ai | |
| phantom-deps | phantom-dep:@teambit/objects | AI (phantom-deps): Same-org monorepo dep; may be used transitively or in dist files not scanned. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped @teambit package; Levenshtein match against 'joi' is a false positive. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @teambit package; Levenshtein match against 'qs' is a false positive. | ai |
Versions (showing 51 of 109)
| Version | Deps | Published |
|---|---|---|
| 1.0.387 | 26 / 3 | |
| 1.0.379 | 21 / 3 | |
| 1.0.364 | 21 / 3 | |
| 1.0.363 | 21 / 3 | |
| 1.0.362 | 21 / 3 | |
| 1.0.361 | 21 / 3 | |
| 1.0.360 | 21 / 3 | |
| 1.0.359 | 21 / 3 | |
| 1.0.358 | 21 / 3 | |
| 1.0.352 | 21 / 3 | |
| 1.0.351 | 21 / 3 | |
| 1.0.350 | 21 / 3 | |
| 1.0.349 | 21 / 3 | |
| 1.0.348 | 21 / 3 | |
| 1.0.344 | 21 / 3 | |
| 1.0.343 | 21 / 3 | |
| 1.0.340 | 21 / 3 | |
| 1.0.337 | 21 / 3 | |
| 1.0.336 | 21 / 3 | |
| 1.0.334 | 21 / 3 | |
| 1.0.327 | 21 / 3 | |
| 1.0.323 | 21 / 3 | |
| 1.0.319 | 21 / 3 | |
| 1.0.318 | 21 / 3 | |
| 1.0.317 | 21 / 3 | |
| 1.0.316 | 21 / 3 | |
| 1.0.315 | 21 / 3 | |
| 1.0.314 | 21 / 3 | |
| 1.0.312 | 21 / 3 | |
| 1.0.311 | 21 / 3 | |
| 1.0.310 | 21 / 3 | |
| 1.0.309 | 21 / 3 | |
| 1.0.307 | 21 / 3 | |
| 1.0.305 | 21 / 3 | |
| 1.0.303 | 21 / 3 | |
| 1.0.302 | 21 / 3 | |
| 1.0.301 | 21 / 3 | |
| 1.0.183 | 18 / 2 | |
| 1.0.154 | 18 / 2 | |
| 1.0.150 | 18 / 2 | |
| 1.0.147 | 18 / 2 | |
| 1.0.145 | 18 / 2 | |
| 1.0.129 | 18 / 2 | |
| 1.0.127 | 18 / 2 | |
| 1.0.126 | 18 / 2 | |
| 1.0.109 | 18 / 2 | |
| 1.0.97 | 18 / 2 | |
| 1.0.92 | 18 / 2 | |
| 1.0.89 | 18 / 2 | |
| 1.0.88 | 18 / 2 | |
| 1.0.82 | 18 / 2 |
v1.0.387
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.379
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.364
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.363
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.362
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.361
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.360
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.359
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.358
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.352
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.351
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.350
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.349
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.340
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.334
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.317
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.316
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.183
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.154
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.150
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.147
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.145
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.129
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.97
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.92
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.88
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.82
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.