@teambit/config-merger
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/component.modules.merge-helper | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/pkg.modules.semver-helper | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/component-version | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| dependencies | unvetted-dep:@teambit/component-package-version | AI (dependencies): Internal @teambit monorepo dependency; stable false positive for this package family. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is consistent across all @teambit/* releases; not a risk signal for this publisher. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Teambit monorepo component; missing description is a stable pattern across all @teambit/* packages. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.0.839 | 22 / 4 | |
| 0.0.838 | 22 / 4 | |
| 0.0.837 | 22 / 4 | |
| 0.0.836 | 22 / 4 | |
| 0.0.835 | 22 / 4 | |
| 0.0.831 | 22 / 4 | |
| 0.0.797 | 22 / 4 | |
| 0.0.792 | 22 / 4 |
v0.0.839
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.838
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.837
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.836
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.