@theia/application-manager
Theia application manager API.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:electron-rebuild | AI (phantom-deps): Referenced in config/build scripts rather than direct imports; expected for Electron build tooling. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-classes | AI (phantom-deps): Babel plugin loaded by convention via babel config, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-runtime | AI (phantom-deps): Babel plugin loaded by convention via babel config, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/semver | AI (phantom-deps): Type-only package, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@types/fs-extra | AI (phantom-deps): Type-only package, not directly imported at runtime. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Theia monorepo package; README signals are false positives for a scoped ecosystem package. | ai | |
| phantom-deps | phantom-dep:webpack-cli | AI (phantom-deps): CLI tool invoked via scripts, not directly imported. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:ignore-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:worker-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:source-map-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:umd-compat-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Application manager legitimately passes process.env to child processes; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:string-replace-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): Browser polyfill referenced in webpack config, not directly imported. | ai | |
| phantom-deps | phantom-dep:http-server | AI (phantom-deps): CLI tool used for serving, not directly imported. | ai | |
| phantom-deps | phantom-dep:@electron/rebuild | AI (phantom-deps): Invoked as CLI tool for native module rebuilding, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped; loaded by babel-loader at runtime, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel preset referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:source-map-support | AI (phantom-deps): Referenced in generated app entry points, not directly imported by this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Application manager spawns build/run processes by design; expected usage for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning subprocesses is core functionality of an application manager; stable for this package. | ai | |
| phantom-deps | phantom-dep:less | AI (phantom-deps): Webpack loader/plugin deps referenced in generated config files, not directly imported in JS. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:node-loader | AI (phantom-deps): Webpack loader referenced in config, not directly imported. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 1.72.2 | 37 / 1 | |
| 1.72.1 | 37 / 1 | |
| 1.72.0 | 37 / 1 | |
| 1.71.2 | 34 / 1 | |
| 1.71.1 | 34 / 1 | |
| 1.71.0 | 34 / 1 | |
| 1.70.2 | 34 / 1 | |
| 1.70.1 | 34 / 1 | |
| 1.70.0 | 34 / 1 | |
| 1.69.0 | 33 / 1 | |
| 1.68.2 | 33 / 1 | |
| 1.68.1 | 33 / 1 | |
| 1.68.0 | 33 / 1 | |
| 1.67.0 | 33 / 1 | |
| 1.66.2 | 33 / 1 | |
| 1.66.1 | 33 / 1 | |
| 1.66.0 | 33 / 1 | |
| 1.65.2 | 33 / 1 | |
| 1.65.1 | 33 / 1 | |
| 1.65.0 | 33 / 1 | |
| 1.64.4 | 33 / 1 | |
| 1.64.3 | 33 / 1 | |
| 1.64.2 | 33 / 1 | |
| 1.64.1 | 33 / 1 | |
| 1.64.0 | 33 / 1 | |
| 1.63.3 | 33 / 1 | |
| 1.63.2 | 33 / 1 | |
| 1.63.1 | 33 / 1 | |
| 1.63.0 | 33 / 1 | |
| 1.62.2 | 33 / 1 | |
| 1.62.1 | 33 / 1 | |
| 1.62.0 | 33 / 1 | |
| 1.61.1 | 33 / 1 | |
| 1.61.0 | 33 / 1 |
v1.72.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.72.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.72.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.71.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.71.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.70.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.69.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.68.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.68.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.68.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.67.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.66.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.66.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.66.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.65.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.65.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.65.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.64.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.64.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.64.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.64.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.64.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.63.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.63.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.63.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.63.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.62.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.62.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.62.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.61.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.61.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.