@theia/ai-core — Greenflagged

Theia - AI Core

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

eclipsetheiavince-fugnittobhufmannmarc.dumaispaul-marechalmsujewtsmaederjfaltermeierjhelmingeclipse-theia-botsgrabandndoschek

Keywords

theia-extension

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:minimatch	AI (phantom-deps): minimatch is a declared runtime dependency in package.json; phantom-dep false positive for this package.	ai	2026/06/06
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IPs appear only in proxy-util test specs validating bypass logic; not production network calls.	ai	2026/05/23
phantom-deps	phantom-dep:@types/js-yaml	AI (phantom-deps): @types/js-yaml is a type declaration package; not directly imported at runtime, stable false positive.	ai	2026/05/23

Versions (showing 25 of 25)

Version	Deps	Published
1.72.2	13 / 1	2026-06-05
1.72.1	13 / 1	2026-05-29
1.72.0	13 / 1	2026-05-28
1.71.2	13 / 1	2026-05-27
1.71.1	13 / 1	2026-05-11
1.71.0	13 / 1	2026-04-30
1.70.2	13 / 1	2026-04-10
1.66.2	12 / 1	2025-11-10
1.66.1	12 / 1	2025-11-07
1.66.0	12 / 1	2025-10-30
1.65.2	12 / 1	2025-10-14
1.65.0	12 / 1	2025-09-26
1.64.4	13 / 1	2025-10-10
1.64.2	13 / 1	2025-10-01
1.64.1	13 / 1	2025-08-07
1.64.0	13 / 1	2025-07-31
1.63.3	13 / 1	2025-07-16
1.63.2	13 / 1	2025-07-07
1.63.1	13 / 1	2025-07-01
1.63.0	13 / 1	2025-06-26
1.62.2	13 / 1	2025-06-12
1.62.1	13 / 1	2025-06-03
1.62.0	13 / 1	2025-05-28
1.61.1	13 / 1	2025-06-11
1.61.0	13 / 1	2025-04-29

v1.72.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.72.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.72.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.66.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

INFO Publisher changed: sgraband → eclipse-theia-bot (on 2025-11-10, known maintainer) provenance

This version was published by a different npm account (eclipse-theia-bot) than the most recent previously approved version (sgraband) on 2025-11-10, but eclipse-theia-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.66.1

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

INFO Publisher changed: sgraband → eclipse-theia-bot (on 2025-11-07, known maintainer) provenance

This version was published by a different npm account (eclipse-theia-bot) than the most recent previously approved version (sgraband) on 2025-11-07, but eclipse-theia-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.66.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

INFO Publisher changed: sgraband → eclipse-theia-bot (on 2025-10-30, known maintainer) provenance

This version was published by a different npm account (eclipse-theia-bot) than the most recent previously approved version (sgraband) on 2025-10-30, but eclipse-theia-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v1.65.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

INFO Publisher changed: sgraband → eclipse-theia-bot (on 2025-10-14, known maintainer) provenance

This version was published by a different npm account (eclipse-theia-bot) than the most recent previously approved version (sgraband) on 2025-10-14, but eclipse-theia-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.