← Home

@theia/ovsx-client

npm Repository Homepage

Theia Open-VSX Client

34
Versions
EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

eclipsetheiavince-fugnittobhufmannmarc.dumaispaul-marechalmsujewtsmaederjfaltermeierjhelmingeclipse-theia-botsgrabandndoschek

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Eclipse-theia migrated publishing to GitHub Actions CI; SLSA attestation confirms supply chain integrity. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package of eclipse-theia/theia; README links and missing keywords are expected for this package structure. ai
dependencies unvetted-dep:@theia/request AI (dependencies): Sibling package in the same Eclipse Theia monorepo, published at the same version; stable false positive. ai

Versions (showing 34 of 34)

Version Deps Published
1.72.2 4 / 0
1.72.1 4 / 0
1.72.0 4 / 0
1.71.2 4 / 0
1.71.1 4 / 0
1.71.0 4 / 0
1.70.2 4 / 0
1.70.1 4 / 0
1.70.0 4 / 0
1.69.0 4 / 0
1.68.2 4 / 0
1.68.1 4 / 0
1.68.0 4 / 0
1.67.0 4 / 0
1.66.2 4 / 0
1.66.1 4 / 0
1.66.0 4 / 0
1.65.2 4 / 0
1.65.1 4 / 0
1.65.0 4 / 0
1.64.4 4 / 0
1.64.3 4 / 0
1.64.2 4 / 0
1.64.1 4 / 0
1.64.0 4 / 0
1.63.3 4 / 0
1.63.2 4 / 0
1.63.1 4 / 0
1.63.0 4 / 0
1.62.2 4 / 0
1.62.1 4 / 0
1.62.0 4 / 0
1.61.1 4 / 0
1.61.0 4 / 0

v1.72.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.72.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.72.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.71.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.70.0

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.69.0

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2026-02-26) provenance

This version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.68.2

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.68.1

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.68.0

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2026-01-29) provenance

This version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.67.0

2 findings
HIGH Publisher changed: eclipse-theia-bot → GitHub Actions (on 2025-12-10) provenance

This version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.66.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.66.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.66.0

2 findings
HIGH Publisher changed: sgraband → eclipse-theia-bot (on 2025-10-30) provenance

This version was published by a different npm account than previous versions on 2025-10-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.65.2

2 findings
HIGH Publisher changed: sgraband → eclipse-theia-bot (on 2025-10-14) provenance

This version was published by a different npm account than previous versions on 2025-10-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.65.1

2 findings
HIGH Publisher changed: sgraband → ndoschek (on 2025-10-06) provenance

This version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.65.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.64.4

2 findings
HIGH Publisher changed: sgraband → ndoschek (on 2025-10-10) provenance

This version was published by a different npm account than previous versions on 2025-10-10. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.64.3

2 findings
HIGH Publisher changed: sgraband → ndoschek (on 2025-10-08) provenance

This version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.64.2

2 findings
HIGH Publisher changed: sgraband → ndoschek (on 2025-10-01) provenance

This version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.64.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.64.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.63.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.63.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.63.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.63.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.62.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.62.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.62.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.61.1

2 findings
HIGH Publisher changed: sgraband → jfaltermeier (on 2025-06-11) provenance

This version was published by a different npm account than previous versions on 2025-06-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.61.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.