@things-factory/integration-ui

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

woo_ramjyp220heartyohhorwengliang95nalshya113shortstopyoungwookwengliang95

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@things-factory/export-base	AI (dependencies): Same org scope (@things-factory); consistent pattern across many versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@operato/i18n	AI (dependencies): @operato is the companion org scope used consistently across this package's dependency tree.	ai	2026/05/18
dependencies	unvetted-dep:@things-factory/modeller-ui	AI (dependencies): Same org scope (@things-factory); consistent pattern across many versions of this package.	ai	2026/05/18
dependencies	unvetted-dep:@things-factory/import-base	AI (dependencies): Same org scope (@things-factory); consistent pattern across many versions of this package.	ai	2026/05/18
provenance	no-provenance	AI (provenance): Established monorepo package with 1217 versions; lack of provenance is consistent across all prior releases.	ai	2026/05/06
phantom-deps	phantom-dep:@things-factory/export-base	AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic false positive for this package family.	ai	2026/04/30
bogus-package	bogus-package	AI (bogus-package): Monorepo UI package with minimal README and empty server entry point is normal for this ecosystem.	ai	2026/04/30
phantom-deps	phantom-dep:subscriptions-transport-ws	AI (phantom-deps): Config-file reference pattern; stable false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:@things-factory/integration-base	AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic false positive for this package family.	ai	2026/04/30
phantom-deps	phantom-dep:@things-factory/import-base	AI (phantom-deps): Same-org monorepo dep; phantom-dep heuristic false positive for this package family.	ai	2026/04/30

Versions (showing 34 of 34)

Version	Deps	Published
4.3.824	14 / 0	2026-05-05
4.3.822	14 / 0	2026-04-29
4.3.815	14 / 0	2026-04-16
4.3.804	14 / 0	2026-04-10
4.3.791	14 / 0	2026-03-16
4.3.788	14 / 0	2026-03-13
4.3.776	14 / 0	2026-02-23
4.3.770	14 / 0	2026-02-05
4.3.767	14 / 0	2026-01-29
4.3.764	14 / 0	2026-01-28
4.3.755	14 / 0	2026-01-20
4.3.752	14 / 0	2026-01-15
4.3.743	14 / 0	2026-01-08
4.3.740	14 / 0	2026-01-05
4.3.738	14 / 0	2025-12-23
4.3.734	14 / 0	2025-12-17
4.3.729	14 / 0	2025-12-16
4.3.727	14 / 0	2025-12-12
4.3.725	14 / 0	2025-12-11
4.3.723	14 / 0	2025-12-11
4.3.705	14 / 0	2025-12-10
4.3.695	14 / 0	2025-11-21
4.3.689	14 / 0	2025-11-02
4.3.686	14 / 0	2025-10-24
4.3.685	14 / 0	2025-10-24
4.3.684	14 / 0	2025-10-24
4.3.682	14 / 0	2025-10-14
4.3.677	14 / 0	2025-09-18
4.3.675	14 / 0	2025-08-27
4.3.673	14 / 0	2025-08-21
4.3.672	14 / 0	2025-08-21
4.3.671	14 / 0	2025-08-21
4.3.653	14 / 0	2025-07-09
4.3.652	14 / 0	2025-07-03

v4.3.824

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.815

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: wengliang95 → horwengliang95 (on 2026-04-16, known maintainer) provenance

This version was published by a different npm account (horwengliang95) than the most recent previously approved version (wengliang95) on 2026-04-16, but horwengliang95 is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v4.3.804

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.791

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.788

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.776

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.770

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.767

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.764

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.755

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.752

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.743

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.740

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.738

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.734

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.729

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.727

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.725

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.723

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.705

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.695

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.689

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.686

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.685

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.684

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.682

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.677

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.675

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.673

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.672

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.671

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.653

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.652

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.