@teambit/status
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | rapid-publish | AI (publish-pattern): teambit uses automated CI/CD releasing hundreds of scoped packages simultaneously; rapid publish is expected behavior. | ai | |
| provenance | no-provenance | AI (provenance): Monorepo package; provenance attestation not enforced for this org. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo package; missing description is stable across versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/lane-id | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component-issues | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component-version | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.component-list | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.snap-distance | AI (dependencies): Internal @teambit org sibling package; stable pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@teambit/objects | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic is a stable false positive for @teambit packages. | ai | |
| phantom-deps | phantom-dep:@teambit/legacy.consumer-component | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic is a stable false positive for @teambit packages. | ai |
Versions (showing 38 of 138)
| Version | Deps | Published |
|---|---|---|
| 1.0.716 | 23 / 3 | |
| 1.0.714 | 23 / 3 | |
| 1.0.712 | 23 / 3 | |
| 1.0.704 | 23 / 3 | |
| 1.0.699 | 23 / 3 | |
| 1.0.696 | 23 / 3 | |
| 1.0.695 | 23 / 3 | |
| 1.0.694 | 23 / 3 | |
| 1.0.691 | 23 / 3 | |
| 1.0.689 | 23 / 3 | |
| 1.0.683 | 23 / 3 | |
| 1.0.681 | 23 / 3 | |
| 1.0.678 | 23 / 3 | |
| 1.0.676 | 23 / 3 | |
| 1.0.674 | 23 / 3 | |
| 1.0.668 | 23 / 3 | |
| 1.0.665 | 23 / 3 | |
| 1.0.662 | 23 / 3 | |
| 1.0.660 | 23 / 3 | |
| 1.0.657 | 23 / 3 | |
| 1.0.655 | 23 / 3 | |
| 1.0.652 | 23 / 3 | |
| 1.0.650 | 23 / 3 | |
| 1.0.649 | 23 / 3 | |
| 1.0.646 | 23 / 3 | |
| 1.0.644 | 23 / 3 | |
| 1.0.642 | 23 / 3 | |
| 1.0.641 | 23 / 3 | |
| 1.0.640 | 23 / 3 | |
| 1.0.634 | 23 / 3 | |
| 1.0.631 | 23 / 3 | |
| 1.0.630 | 23 / 3 | |
| 1.0.628 | 23 / 3 | |
| 1.0.626 | 23 / 3 | |
| 1.0.622 | 23 / 3 | |
| 1.0.620 | 23 / 3 | |
| 1.0.617 | 23 / 3 | |
| 1.0.613 | 23 / 3 |
v1.0.716
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.714
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.712
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.704
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.699
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.696
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.695
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.694
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.691
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.689
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.683
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.681
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.678
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.676
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.674
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.668
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.665
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.662
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.660
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.657
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.655
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.652
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.650
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.649
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.646
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.644
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.642
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.641
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.640
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.634
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.631
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.630
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.628
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.626
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.622
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.620
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.617
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.613
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.