@teambit/host-initializer
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package; provenance is a best-practice recommendation, not a blocker for this mature project. | ai | |
| dependencies | unvetted-dep:@teambit/config | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/logger | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/objects | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/config-store | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.bit-map | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/cli | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope-api | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/mcp.mcp-config-writer | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.string.random | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.fs.is-dir-empty | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/scope.modules.find-scope-path | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.modules.workspace-locator | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Bit ecosystem packages consistently omit npm descriptions; not a malware indicator here. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Sibling @teambit/* package from the same monorepo. | ai |
Versions (showing 14 of 114)
| Version | Deps | Published |
|---|---|---|
| 0.0.532 | 23 / 3 | |
| 0.0.531 | 23 / 3 | |
| 0.0.528 | 23 / 3 | |
| 0.0.527 | 23 / 3 | |
| 0.0.525 | 23 / 3 | |
| 0.0.524 | 23 / 3 | |
| 0.0.522 | 23 / 3 | |
| 0.0.519 | 23 / 3 | |
| 0.0.518 | 23 / 3 | |
| 0.0.517 | 23 / 3 | |
| 0.0.516 | 23 / 3 | |
| 0.0.513 | 23 / 3 | |
| 0.0.510 | 23 / 3 | |
| 0.0.323 | 20 / 3 |
v0.0.532
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.531
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.528
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.527
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.525
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.524
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.522
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.519
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.518
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.517
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.516
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.513
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.510
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.323
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.