@thi.ng/dynvar
Dynamically scoped variable bindings
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): thi.ng/umbrella monorepo does not use Sigstore provenance; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@thi.ng/api | AI (dependencies): Same-org sibling dependency within thi.ng/umbrella; stable pattern across all package versions. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.3.132 | 2 / 3 | |
| 0.3.131 | 2 / 3 | |
| 0.3.130 | 2 / 3 | |
| 0.3.128 | 2 / 3 | |
| 0.3.127 | 2 / 3 | |
| 0.3.126 | 2 / 3 | |
| 0.3.125 | 2 / 3 | |
| 0.3.124 | 2 / 3 | |
| 0.3.123 | 2 / 3 | |
| 0.3.122 | 2 / 3 | |
| 0.3.121 | 2 / 3 | |
| 0.3.120 | 2 / 3 | |
| 0.3.119 | 2 / 3 | |
| 0.3.118 | 2 / 3 | |
| 0.3.117 | 2 / 3 | |
| 0.3.116 | 2 / 3 | |
| 0.3.115 | 2 / 3 | |
| 0.3.114 | 2 / 3 | |
| 0.3.113 | 2 / 3 | |
| 0.3.112 | 2 / 3 | |
| 0.3.108 | 2 / 3 | |
| 0.3.107 | 2 / 3 | |
| 0.3.105 | 2 / 3 | |
| 0.3.104 | 2 / 3 | |
| 0.3.103 | 2 / 3 | |
| 0.3.102 | 2 / 3 | |
| 0.3.101 | 2 / 3 | |
| 0.3.100 | 2 / 3 | |
| 0.3.99 | 2 / 3 |
v0.3.132
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.131
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.130
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.128
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.127
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.126
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.125
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.124
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.123
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.122
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.121
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.120
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.118
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.117
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.116
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.114
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.108
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.105
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.104
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.103
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.102
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.101
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.100
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.99
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.