@teambit/objects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dynamic-require | AI (semgrep): User-configured hook path loaded at runtime; intentional plugin/hook loader pattern for this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/graph.cleargraph | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.cli.error | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/bit.get-bit-version | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.crypto.sha1 | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/semantics.doc-parser | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.get-basic-log | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.in-memory-cache | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-config | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.snap-distance | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.promise.map-pool | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/pkg.modules.semver-helper | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.concurrency | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.fs.remove-empty-dir | AI (dependencies): Internal @teambit monorepo dep from trusted publisher; stable pattern across versions. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Bit monorepo component package; missing description is a consistent pattern across all @teambit/* packages. | ai | |
| provenance | no-provenance | AI (provenance): Established @teambit/* monorepo; no provenance is consistent across all versions of this package family. | ai |
Versions (showing 46 of 46)
| Version | Deps | Published |
|---|---|---|
| 0.0.503 | 42 / 5 | |
| 0.0.496 | 42 / 5 | |
| 0.0.495 | 42 / 5 | |
| 0.0.489 | 42 / 5 | |
| 0.0.488 | 42 / 5 | |
| 0.0.487 | 42 / 5 | |
| 0.0.486 | 42 / 5 | |
| 0.0.485 | 42 / 5 | |
| 0.0.484 | 42 / 5 | |
| 0.0.483 | 42 / 5 | |
| 0.0.479 | 42 / 5 | |
| 0.0.478 | 42 / 5 | |
| 0.0.477 | 42 / 5 | |
| 0.0.476 | 42 / 5 | |
| 0.0.475 | 42 / 5 | |
| 0.0.473 | 42 / 5 | |
| 0.0.472 | 42 / 5 | |
| 0.0.470 | 42 / 5 | |
| 0.0.468 | 42 / 5 | |
| 0.0.466 | 42 / 5 | |
| 0.0.465 | 42 / 5 | |
| 0.0.464 | 42 / 5 | |
| 0.0.463 | 42 / 5 | |
| 0.0.461 | 42 / 5 | |
| 0.0.459 | 42 / 5 | |
| 0.0.458 | 42 / 5 | |
| 0.0.456 | 42 / 5 | |
| 0.0.454 | 42 / 5 | |
| 0.0.452 | 42 / 5 | |
| 0.0.450 | 42 / 5 | |
| 0.0.448 | 42 / 5 | |
| 0.0.446 | 42 / 5 | |
| 0.0.443 | 42 / 5 | |
| 0.0.442 | 42 / 5 | |
| 0.0.440 | 42 / 5 | |
| 0.0.439 | 42 / 5 | |
| 0.0.438 | 42 / 5 | |
| 0.0.436 | 42 / 5 | |
| 0.0.434 | 42 / 5 | |
| 0.0.432 | 42 / 5 | |
| 0.0.255 | 41 / 5 | |
| 0.0.253 | 41 / 5 | |
| 0.0.180 | 42 / 5 | |
| 0.0.174 | 42 / 5 | |
| 0.0.157 | 42 / 5 | |
| 0.0.120 | 43 / 5 |
v0.0.503
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.496
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.495
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.489
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.488
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.487
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.486
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.485
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.484
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.483
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.479
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.478
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.477
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.476
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.472
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.255
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.253
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.180
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.174
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.157
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.120
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.