@teambit/pnpm
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | rapid-publish | AI (publish-pattern): Teambit uses automated CI publishing across 3000+ versions; rapid publish is normal for this monorepo. | ai | |
| dependencies | unvetted-dep:@teambit/pkg.config.auth | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/ui-foundation.ui.use-box.menu | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.feature-toggle | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.string.strip-trailing-char | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/core | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/list | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/logger | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/worker | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:credentials-by-uri | AI (dependencies): Standard pnpm credential helper; expected dependency for a pnpm wrapper. | ai | |
| dependencies | unvetted-dep:@pnpm/sort-packages | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/plugin-trusted-deps | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/workspace.pkgs-graph | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@pnpm/plugin-commands-rebuild | AI (dependencies): Known @pnpm ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/pkg.entities.registry | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/component-package-version | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@teambit/dependencies.pnpm.dep-path | AI (dependencies): Known @teambit ecosystem package; stable dependency for this package. | ai | |
| phantom-deps | phantom-dep:@pnpm/package-store | AI (phantom-deps): @pnpm/package-store is a legitimate declared dependency used indirectly; false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Teambit publishes thousands of versions without provenance; consistent pattern, not a risk indicator. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established @teambit/* ecosystem package; missing description is a consistent pattern across their packages, not a malware signal. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.0.1038 | 46 / 7 | |
| 1.0.999 | 46 / 7 | |
| 1.0.998 | 46 / 7 | |
| 1.0.997 | 46 / 7 | |
| 1.0.995 | 46 / 7 | |
| 1.0.950 | 46 / 7 | |
| 1.0.949 | 46 / 7 | |
| 1.0.776 | 45 / 7 | |
| 1.0.774 | 45 / 7 | |
| 1.0.773 | 45 / 7 | |
| 1.0.767 | 45 / 7 | |
| 1.0.694 | 45 / 7 | |
| 1.0.664 | 45 / 7 | |
| 1.0.656 | 45 / 7 |
v1.0.1038
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.999
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.998
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.997
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.776
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.774
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.773
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.767
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.694
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.664
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.656
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.