@times-components/article-topics
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Long-established monorepo package; no provenance is consistent across all versions. | ai |
Versions (showing 46 of 46)
| Version | Deps | Published |
|---|---|---|
| 4.11.117 | 6 / 18 | |
| 4.11.116 | 6 / 18 | |
| 4.11.115 | 6 / 18 | |
| 4.11.114 | 6 / 18 | |
| 4.11.113 | 6 / 18 | |
| 4.11.112 | 6 / 18 | |
| 4.11.111 | 6 / 18 | |
| 4.11.110 | 6 / 18 | |
| 4.11.109 | 6 / 18 | |
| 4.11.108 | 6 / 18 | |
| 4.11.107 | 6 / 18 | |
| 4.11.106 | 6 / 18 | |
| 4.11.105 | 6 / 18 | |
| 4.11.104 | 6 / 18 | |
| 4.11.103 | 6 / 18 | |
| 4.11.102 | 6 / 18 | |
| 4.11.101 | 6 / 18 | |
| 4.11.100 | 6 / 18 | |
| 4.11.99 | 6 / 18 | |
| 4.11.98 | 6 / 18 | |
| 4.11.97 | 6 / 18 | |
| 4.11.96 | 6 / 18 | |
| 4.11.95 | 6 / 18 | |
| 4.11.94 | 6 / 18 | |
| 4.11.93 | 6 / 18 | |
| 4.11.92 | 6 / 18 | |
| 4.11.91 | 6 / 18 | |
| 4.11.90 | 6 / 18 | |
| 4.11.89 | 6 / 18 | |
| 4.11.88 | 6 / 18 | |
| 4.11.87 | 6 / 18 | |
| 4.11.86 | 6 / 18 | |
| 4.11.85 | 6 / 18 | |
| 4.11.84 | 6 / 18 | |
| 4.11.83 | 6 / 18 | |
| 4.11.82 | 6 / 18 | |
| 4.11.81 | 6 / 18 | |
| 4.11.80 | 6 / 18 | |
| 4.11.79 | 6 / 18 | |
| 4.11.78 | 6 / 18 | |
| 4.11.77 | 6 / 18 | |
| 4.11.76 | 6 / 18 | |
| 4.11.75 | 6 / 18 | |
| 4.11.74 | 6 / 18 | |
| 4.11.73 | 6 / 18 | |
| 4.11.72 | 6 / 18 |
v4.11.116
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.114
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.112
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.111
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.110
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.109
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.108
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.106
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.105
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.104
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.103
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.102
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.101
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.100
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.99
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.98
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.97
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.96
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.95
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.94
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.93
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.92
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.91
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.90
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.89
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.88
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.87
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.86
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.85
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.84
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.83
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.82
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.81
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.80
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.79
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.78
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.77
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.76
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.75
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.74
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.73
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.11.72
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.