@teambit/cli-mcp-server

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

teambit-ownershohamgiladdavidfirstranm8guysaaritaymendelerezbitjoshk2redigmayona007

Keywords

bitbit-aspectbit-core-aspectcomponentscollaborationweb

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): davidfirst is a long-standing Teambit contributor (1791 days, 146 approved pkgs); transition appears legitimate.	ai	2026/05/11
source-diff	source-size-tripled	AI (source-diff): Size growth matches 14 new runtime deps and added spec map file; no obfuscation indicators.	ai	2026/05/11
maintainer-change	maintainer-removed	AI (maintainer-change): teambit-owner is the canonical org publisher; maintainer churn within the org is routine housekeeping.	ai	2026/05/11
publish-pattern	new-deps-added	AI (publish-pattern): New deps are first-party @teambit/* packages from the same org; not a supply-chain risk.	ai	2026/05/11
dependencies	unvetted-dep:@teambit/scope.modules.find-scope-path	AI (dependencies): First-party @teambit scoped package; consistent with the rest of the dependency tree for this package.	ai	2026/05/05
dependencies	unvetted-dep:@teambit/scope.remotes	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/legacy.consumer	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/legacy.constants	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/mcp.mcp-config-writer	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/cli	AI (dependencies): Internal @teambit monorepo dependency; same publisher org, stable pattern across all versions.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/pkg.modules.component-package-name	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
npm-metadata	no-description	AI (npm-metadata): Auto-published monorepo component; missing description is a consistent pattern across all versions.	ai	2026/04/29
provenance	no-provenance	AI (provenance): Teambit publishes 500+ versions without provenance; consistent pattern, not a malware signal.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/component.modules.component-url	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/logger	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/harmony	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/component-id	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29
dependencies	unvetted-dep:@teambit/scope.network	AI (dependencies): Internal @teambit monorepo dependency; same publisher org.	ai	2026/04/29