@teambit/config
WIP this was cherry picked from another branch, so it doesn't contain all the logic. please do not touch:)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): teambit-owner is the canonical publisher with strong track record; learn-bit removal is an internal org change, not a takeover signal. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.path.path | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-config | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/scope.modules.find-scope-path | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.modules.workspace-locator | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal @teambit ecosystem dep; stable pattern across all versions of this package. | ai | |
| provenance | no-provenance | AI (provenance): Established teambit monorepo package; no provenance is consistent across all 1710+ versions. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.0.1502 | 18 / 4 | |
| 0.0.1501 | 18 / 4 | |
| 0.0.1500 | 18 / 4 | |
| 0.0.1499 | 18 / 4 | |
| 0.0.1498 | 18 / 4 | |
| 0.0.1496 | 18 / 4 | |
| 0.0.1495 | 18 / 4 | |
| 0.0.1491 | 18 / 4 | |
| 0.0.1490 | 18 / 4 | |
| 0.0.1489 | 18 / 4 | |
| 0.0.1486 | 18 / 4 | |
| 0.0.1484 | 18 / 4 | |
| 0.0.1482 | 18 / 4 | |
| 0.0.1459 | 18 / 4 | |
| 0.0.1458 | 18 / 4 | |
| 0.0.1407 | 19 / 4 | |
| 0.0.1370 | 19 / 4 | |
| 0.0.1369 | 19 / 4 | |
| 0.0.1368 | 19 / 4 | |
| 0.0.1361 | 19 / 4 |
v0.0.1502
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1501
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1500
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1499
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1498
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1496
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1491
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1490
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1489
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1486
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1484
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1459
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1458
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1407
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1370
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1369
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1368
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1361
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.