@temporalio/worker — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mjameswhtemporal-sdk-team

Keywords

temporalworkflowworkerisolate

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:base64-decode	AI (semgrep): Base64 usage is for parsing inline source maps from bundled JS (standard webpack pattern), not for hiding payloads. Stable false positive for this package.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/nexus	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/proto	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/client	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/common	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/activity	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/workflow	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/core-bridge	AI (dependencies): First-party sibling package in the same Temporal SDK monorepo, published at the same version. Expected dependency.	ai	2026/04/26
dependencies	unvetted-dep:nexus-rpc	AI (dependencies): nexus-rpc is Temporal's own RPC protocol package, a legitimate dependency for the Temporal worker SDK.	ai	2026/04/26
dependencies	unvetted-dep:protobufjs	AI (dependencies): protobufjs is a widely-used, well-known protobuf library. Expected dependency for a gRPC-based workflow SDK.	ai	2026/04/26
phantom-deps	phantom-dep:@swc/core	AI (phantom-deps): Used indirectly via swc-loader (webpack loader); declared as a dependency for transitive resolution. Standard pattern for webpack-based build tooling.	ai	2026/04/26
phantom-deps	phantom-dep:proto3-json-serializer	AI (phantom-deps): Declared dependency used indirectly via protobuf serialization utilities. Common pattern for SDK packages.	ai	2026/04/26

Versions (showing 15 of 15)

Version	Deps	Published
1.17.2	22 / 1	2026-05-15
1.17.0	22 / 1	2026-04-30
1.16.1	22 / 1	2026-04-21
1.16.0	22 / 1	2026-04-09
1.15.0	22 / 1	2026-02-18
1.14.1	22 / 1	2026-01-08
1.14.0	22 / 1	2025-12-17
1.13.2	22 / 1	2025-11-10
1.13.1	22 / 1	2025-10-08
1.13.0	22 / 1	2025-08-27
1.12.3	19 / 1	2025-08-19
1.12.2	19 / 1	2025-08-13
1.12.1	19 / 1	2025-07-07
1.12.0	19 / 1	2025-07-01
1.11.8	17 / 1	2025-05-13

v1.17.2

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: temporal-sdk-team.