@teambit/pkg
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance not enabled; stable across 2945 versions of this established package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo package; missing description is stable pattern for internal teambit packages. | ai | |
| dependencies | unvetted-dep:is-relative-path | AI (dependencies): Well-known utility package; no malware signal. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/component-issues | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/component-version | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@pnpm/plugin-commands-publishing | AI (dependencies): Official pnpm plugin; no malware signal. | ai | |
| dependencies | unvetted-dep:@teambit/component-package-version | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/ui-foundation.ui.use-box.menu | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.in-memory-cache | AI (dependencies): Internal @teambit monorepo dependency. | ai | |
| phantom-deps | phantom-dep:@teambit/compiler | AI (phantom-deps): Same-org dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal @teambit monorepo dependency; stable pattern across all versions. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): @teambit/pkg is a legitimate Bit core aspect, not a typosquat of 'pg'; scoped package in an established monorepo. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.0.990 | 39 / 7 | |
| 1.0.972 | 39 / 7 | |
| 1.0.971 | 39 / 7 | |
| 1.0.970 | 39 / 7 | |
| 1.0.968 | 39 / 7 |
v1.0.990
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.972
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.971
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.