@teambit/worker
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): davidfirst is an established Teambit publisher with 178 approvals; transition from teambit-owner appears to be a routine org account change. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Teambit packages consistently omit descriptions; stable pattern across 1691 versions. | ai | |
| provenance | no-provenance | AI (provenance): Teambit's automated publishing pipeline does not use Sigstore provenance; consistent across all versions. | ai |
Versions (showing 51 of 146)
| Version | Deps | Published |
|---|---|---|
| 0.0.1639 | 3 / 2 | |
| 0.0.1638 | 3 / 2 | |
| 0.0.1637 | 3 / 2 | |
| 0.0.1636 | 3 / 2 | |
| 0.0.1635 | 3 / 2 | |
| 0.0.1634 | 3 / 2 | |
| 0.0.1633 | 3 / 2 | |
| 0.0.1632 | 3 / 2 | |
| 0.0.1631 | 3 / 2 | |
| 0.0.1630 | 3 / 2 | |
| 0.0.1629 | 3 / 2 | |
| 0.0.1628 | 3 / 2 | |
| 0.0.1627 | 3 / 2 | |
| 0.0.1626 | 3 / 2 | |
| 0.0.1625 | 3 / 2 | |
| 0.0.1624 | 3 / 2 | |
| 0.0.1623 | 3 / 2 | |
| 0.0.1622 | 3 / 2 | |
| 0.0.1621 | 3 / 2 | |
| 0.0.1620 | 3 / 2 | |
| 0.0.1619 | 3 / 2 | |
| 0.0.1618 | 3 / 2 | |
| 0.0.1617 | 3 / 2 | |
| 0.0.1616 | 3 / 2 | |
| 0.0.1615 | 3 / 2 | |
| 0.0.1614 | 3 / 2 | |
| 0.0.1613 | 3 / 2 | |
| 0.0.1612 | 3 / 2 | |
| 0.0.1611 | 3 / 2 | |
| 0.0.1610 | 3 / 2 | |
| 0.0.1609 | 3 / 2 | |
| 0.0.1608 | 3 / 2 | |
| 0.0.1607 | 3 / 2 | |
| 0.0.1606 | 3 / 2 | |
| 0.0.1605 | 3 / 2 | |
| 0.0.1604 | 3 / 2 | |
| 0.0.1603 | 3 / 2 | |
| 0.0.1602 | 3 / 2 | |
| 0.0.1601 | 3 / 2 | |
| 0.0.1600 | 3 / 2 | |
| 0.0.1599 | 3 / 2 | |
| 0.0.1598 | 3 / 2 | |
| 0.0.1597 | 3 / 2 | |
| 0.0.1596 | 3 / 2 | |
| 0.0.1595 | 3 / 2 | |
| 0.0.1594 | 3 / 2 | |
| 0.0.1593 | 3 / 2 | |
| 0.0.1592 | 3 / 2 | |
| 0.0.1591 | 3 / 2 | |
| 0.0.1590 | 3 / 2 | |
| 0.0.1589 | 3 / 2 |
v0.0.1639
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1638
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1637
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1636
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1635
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1634
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1633
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1632
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1631
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1630
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1629
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1628
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1627
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1626
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1625
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1623
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1622
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1620
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1619
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1618
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1617
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1616
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1615
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1614
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1613
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1612
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1611
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1610
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1609
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1608
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1607
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1606
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1605
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1604
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1603
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1602
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1601
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1600
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1599
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1598
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1597
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1596
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1595
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1594
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1593
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1592
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1591
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1590
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1589
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.