@teambit/global-config
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Long-established teambit org package; removal of learn-bit without new additions is consistent with routine org maintenance. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established monorepo package; missing description is stable pattern. | ai | |
| provenance | no-provenance | AI (provenance): Only ~12% of npm has provenance; not a disqualifier for established packages. | ai | |
| dependencies | unvetted-dep:@teambit/config-store | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/cli | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/scope.remotes | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Sibling @teambit monorepo package; unvetted status is a pipeline artifact, not a risk signal. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.0.1331 | 12 / 5 | |
| 0.0.1330 | 12 / 5 | |
| 0.0.1329 | 12 / 5 | |
| 0.0.1328 | 12 / 5 | |
| 0.0.1327 | 12 / 5 | |
| 0.0.1326 | 12 / 5 | |
| 0.0.1323 | 12 / 5 | |
| 0.0.1321 | 12 / 5 | |
| 0.0.1320 | 12 / 5 | |
| 0.0.1319 | 12 / 5 | |
| 0.0.1317 | 12 / 5 | |
| 0.0.1316 | 12 / 5 | |
| 0.0.1315 | 12 / 5 | |
| 0.0.1314 | 12 / 5 | |
| 0.0.1313 | 12 / 5 | |
| 0.0.1311 | 12 / 5 | |
| 0.0.1310 | 12 / 5 | |
| 0.0.1288 | 12 / 5 | |
| 0.0.1287 | 12 / 5 | |
| 0.0.1242 | 12 / 5 | |
| 0.0.1240 | 12 / 5 | |
| 0.0.1231 | 12 / 5 | |
| 0.0.1216 | 12 / 5 | |
| 0.0.1215 | 12 / 5 | |
| 0.0.1199 | 12 / 5 | |
| 0.0.1198 | 12 / 5 | |
| 0.0.1197 | 12 / 5 | |
| 0.0.1195 | 12 / 5 | |
| 0.0.1194 | 12 / 5 | |
| 0.0.1193 | 12 / 5 | |
| 0.0.1192 | 12 / 5 | |
| 0.0.1191 | 12 / 5 | |
| 0.0.1190 | 12 / 5 |
v0.0.1331
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1330
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1329
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1328
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1327
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1326
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1288
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1287
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1242
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1240
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1231
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1216
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1215
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1199
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1198
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1197
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1195
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1194
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1193
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1192
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1191
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1190
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.