@teambit/docs
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/docs.entities.doc | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/base-ui.loaders.skeleton | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/docs.ui.overview-compare | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/component.ui.component-meta | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/preview.ui.component-preview | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.ui.use-workspace-mode | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/docs.ui.overview-compare-section | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@teambit/compositions.panels.composition-gallery | AI (dependencies): Same-org @teambit/* dependency; stable pattern across all versions of this package. | ai | |
| phantom-deps | phantom-dep:@teambit/legacy.consumer-component | AI (phantom-deps): Same org scope; phantom-dep heuristic fires on indirect usage patterns common in Bit's component architecture. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established teambit package; missing description is a known pattern across the @teambit/* namespace, not a malware signal. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is consistent across all @teambit/* releases; not a disqualifier for this established org. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @teambit/docs is a Bit.dev core aspect; name similarity to 'cors' is purely coincidental. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.0.990 | 30 / 6 | |
| 1.0.972 | 30 / 6 | |
| 1.0.971 | 30 / 6 | |
| 1.0.970 | 30 / 6 | |
| 1.0.968 | 30 / 6 |
v1.0.990
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.972
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.971
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.