@things-factory/integration-marketplace
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): README link dump and no keywords are cosmetic; package is a legitimate long-lived @things-factory module. | ai | |
| phantom-deps | phantom-dep:@things-factory/auth-ui | AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:@things-factory/code-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/more-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/biz-base | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/system-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/context-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/setting-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/resource-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/integration-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@things-factory/apptool-ui | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in migrations/index.js is a standard migration-loader pattern; stable false positive for this package. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 9.2.24 | 14 / 8 | |
| 9.2.23 | 14 / 8 | |
| 9.2.22 | 14 / 8 | |
| 9.2.21 | 14 / 8 | |
| 9.2.20 | 14 / 8 | |
| 9.2.18 | 14 / 8 | |
| 8.0.75 | 14 / 8 | |
| 6.4.8 | 15 / 8 | |
| 4.3.824 | 16 / 8 | |
| 4.3.823 | 16 / 8 | |
| 4.3.798 | 16 / 8 | |
| 4.3.790 | 16 / 8 | |
| 4.3.755 | 16 / 8 | |
| 4.3.752 | 16 / 8 | |
| 4.3.740 | 16 / 8 | |
| 4.3.734 | 16 / 8 | |
| 4.3.729 | 16 / 8 | |
| 4.3.686 | 16 / 8 | |
| 4.3.685 | 16 / 8 | |
| 4.3.684 | 16 / 8 | |
| 4.3.683 | 16 / 8 | |
| 4.3.682 | 16 / 8 | |
| 4.3.681 | 16 / 8 | |
| 4.3.677 | 16 / 8 | |
| 4.3.675 | 16 / 8 | |
| 4.3.673 | 16 / 8 | |
| 4.3.671 | 16 / 8 | |
| 4.3.669 | 16 / 8 | |
| 4.3.660 | 16 / 8 | |
| 4.3.656 | 16 / 8 | |
| 4.3.653 | 16 / 8 | |
| 4.3.652 | 16 / 8 | |
| 4.3.647 | 16 / 8 | |
| 4.3.642 | 16 / 8 | |
| 4.3.639 | 16 / 8 | |
| 4.3.638 | 16 / 8 | |
| 4.3.637 | 16 / 8 |
v9.2.24
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-05-15, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v9.2.23
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-05-11, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v9.2.22
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-05-11, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v9.2.21
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-05-11, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v9.2.20
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nalshya113) than the most recent previously approved version (horwengliang95) on 2026-05-08, but nalshya113 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v9.2.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.75
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.824
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.823
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.798
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.790
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.755
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.752
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.740
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.734
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.729
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.686
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.685
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.684
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.683
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.682
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.681
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.677
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.675
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.673
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.671
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.669
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.660
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.656
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.653
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.652
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.647
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.642
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.639
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.638
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.637
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.