@trayio/commons
Extensions to the standard/core libraries and basic features
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package; provenance is a best-practice enhancement, not a security blocker. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): generate-schema is a legitimate, established utility; addition is consistent with this package's pattern of commons utilities. | ai | |
| dependencies | unvetted-dep:io-ts-types | AI (dependencies): Legitimate io-ts companion library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:deep-copy-ts | AI (dependencies): Well-known utility library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:monocle-ts | AI (dependencies): Legitimate fp-ts ecosystem library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:io-ts-reporters | AI (dependencies): Legitimate io-ts companion library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:generate-schema | AI (dependencies): Well-known schema generation library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:newtype-ts | AI (dependencies): Legitimate fp-ts ecosystem library; stable dependency for this package. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): Declared runtime dep used via package exports pattern; phantom-dep heuristic misfires on this package's dist structure. | ai | |
| phantom-deps | phantom-dep:@types/mime-types | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic misfires on this package's dist structure. | ai | |
| phantom-deps | phantom-dep:formidable | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic misfires on this package's dist structure. | ai | |
| phantom-deps | phantom-dep:monocle-ts | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic misfires on this package's dist structure. | ai | |
| phantom-deps | phantom-dep:newtype-ts | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic misfires on this package's dist structure. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/formidable | AI (phantom-deps): Framework-scoped type package; stable false positive for this package. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 5.23.0 | 21 / 0 | |
| 5.22.0 | 21 / 0 | |
| 5.21.0 | 21 / 0 | |
| 5.20.0 | 21 / 0 | |
| 5.19.0 | 21 / 0 | |
| 5.18.0 | 21 / 0 | |
| 5.17.0 | 21 / 0 | |
| 5.15.0 | 21 / 0 | |
| 5.14.0 | 21 / 0 | |
| 5.13.0 | 20 / 0 | |
| 5.12.0 | 20 / 0 | |
| 5.11.0 | 20 / 0 | |
| 5.10.0 | 20 / 0 | |
| 5.9.0 | 20 / 0 | |
| 5.8.0 | 20 / 0 | |
| 5.7.0 | 20 / 0 | |
| 5.6.0 | 20 / 0 | |
| 5.5.0 | 20 / 0 | |
| 4.104.0 | 20 / 0 |
v5.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.19.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.18.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.104.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.