@teambit/watcher
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Established teambit org package with 2050 versions; maintainer removal is routine org hygiene, not a takeover signal. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with 2007 versions; missing description is stable pattern, not malware indicator. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is cosmetic for established package; not a security blocker. | ai | |
| dependencies | unvetted-dep:@teambit/pubsub | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/workspace | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/ipc-events | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component-id | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/config-store | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.scope | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/cli | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.logger | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.bit-map | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.constants | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony.modules.send-server-sent-events | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| phantom-deps | phantom-dep:@teambit/legacy.bit-map | AI (phantom-deps): Same-org dep; phantom-dep heuristic unreliable for monorepo packages with indirect usage. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/scope | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/logger | AI (dependencies): Same-org sibling dep from teambit/bit monorepo; expected pattern across all versions. | ai |
Versions (showing 65 of 65)
| Version | Deps | Published |
|---|---|---|
| 1.0.995 | 24 / 4 | |
| 1.0.993 | 24 / 4 | |
| 1.0.992 | 24 / 4 | |
| 1.0.991 | 24 / 4 | |
| 1.0.990 | 24 / 4 | |
| 1.0.989 | 24 / 4 | |
| 1.0.988 | 24 / 4 | |
| 1.0.987 | 24 / 4 | |
| 1.0.986 | 24 / 4 | |
| 1.0.983 | 24 / 4 | |
| 1.0.982 | 24 / 4 | |
| 1.0.981 | 24 / 4 | |
| 1.0.980 | 24 / 4 | |
| 1.0.976 | 24 / 4 | |
| 1.0.975 | 24 / 4 | |
| 1.0.974 | 24 / 4 | |
| 1.0.973 | 24 / 4 | |
| 1.0.972 | 24 / 4 | |
| 1.0.971 | 24 / 4 | |
| 1.0.970 | 24 / 4 | |
| 1.0.969 | 24 / 4 | |
| 1.0.968 | 24 / 4 | |
| 1.0.958 | 24 / 4 | |
| 1.0.939 | 24 / 4 | |
| 1.0.932 | 24 / 4 | |
| 1.0.925 | 24 / 4 | |
| 1.0.839 | 24 / 4 | |
| 1.0.838 | 24 / 4 | |
| 1.0.835 | 24 / 4 | |
| 1.0.834 | 24 / 4 | |
| 1.0.833 | 24 / 4 | |
| 1.0.832 | 24 / 4 | |
| 1.0.831 | 24 / 4 | |
| 1.0.830 | 24 / 4 | |
| 1.0.829 | 24 / 4 | |
| 1.0.827 | 24 / 4 | |
| 1.0.825 | 24 / 4 | |
| 1.0.824 | 24 / 4 | |
| 1.0.823 | 24 / 4 | |
| 1.0.821 | 24 / 4 | |
| 1.0.820 | 24 / 4 | |
| 1.0.818 | 24 / 4 | |
| 1.0.817 | 24 / 4 | |
| 1.0.816 | 24 / 4 | |
| 1.0.814 | 24 / 4 | |
| 1.0.813 | 24 / 4 | |
| 1.0.811 | 24 / 4 | |
| 1.0.809 | 24 / 4 | |
| 1.0.806 | 24 / 4 | |
| 1.0.805 | 24 / 4 | |
| 1.0.801 | 24 / 4 | |
| 1.0.800 | 24 / 4 | |
| 1.0.799 | 24 / 4 | |
| 1.0.798 | 24 / 4 | |
| 1.0.797 | 24 / 4 | |
| 1.0.742 | 24 / 4 | |
| 1.0.622 | 25 / 4 | |
| 1.0.618 | 25 / 4 | |
| 1.0.617 | 25 / 4 | |
| 1.0.616 | 25 / 4 | |
| 1.0.615 | 25 / 4 | |
| 1.0.613 | 25 / 4 | |
| 1.0.612 | 25 / 4 | |
| 1.0.611 | 25 / 4 | |
| 1.0.610 | 25 / 4 |
v1.0.995
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.993
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.992
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.991
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.990
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.989
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.988
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.987
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.986
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.983
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.982
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.981
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.980
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.976
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.975
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.974
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.973
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.972
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.971
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.970
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.969
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.958
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.939
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.932
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.925
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.839
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.838
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.835
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.834
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.833
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.832
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.831
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.830
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.829
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.827
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.825
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.824
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.823
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.821
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.820
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.818
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.817
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.816
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.814
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.813
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.811
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.809
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.806
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.805
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.801
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.800
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.799
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.798
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.797
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.742
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.622
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.618
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.617
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.616
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.615
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.613
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.612
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.611
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.610
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.