@tryghost/mg-context
A SQLite-backed data store for building Ghost import files. Provides a validated, typed interface for posts, tags, and authors with batched iteration for large migrations.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Ghost org packages consistently lack provenance; stable false positive for this package family. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Internal Ghost tooling package; missing description is consistent across versions and not a malice indicator. | ai | |
| phantom-deps | phantom-dep:@tryghost/mg-json | AI (phantom-deps): Same org scope; declared as runtime dep, phantom signal is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): Dev tooling declared in both deps and devDeps; config-only reference, stable false positive. | ai | |
| phantom-deps | phantom-dep:c8 | AI (phantom-deps): Dev tool listed in dependencies but used only in test scripts; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tryghost/listr-smart-renderer | AI (phantom-deps): Same-org Ghost package; likely used transitively or in tooling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): Dev tool listed in dependencies but used only in lint scripts; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Build tool listed in dependencies but used only in build scripts; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint parser listed in dependencies but used only in lint config; stable false positive for this package. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 0.10.0 | 10 / 1 | |
| 0.9.0 | 10 / 1 | |
| 0.8.3 | 10 / 1 | |
| 0.8.2 | 10 / 1 | |
| 0.8.1 | 12 / 6 | |
| 0.8.0 | 12 / 6 | |
| 0.7.0 | 12 / 6 | |
| 0.6.0 | 12 / 6 | |
| 0.5.0 | 12 / 6 | |
| 0.4.0 | 12 / 6 | |
| 0.3.0 | 12 / 6 | |
| 0.2.0 | 12 / 5 | |
| 0.1.27 | 7 / 7 | |
| 0.1.26 | 7 / 7 | |
| 0.1.25 | 4 / 9 | |
| 0.1.24 | 4 / 9 | |
| 0.1.23 | 4 / 9 | |
| 0.1.22 | 4 / 9 | |
| 0.1.21 | 4 / 9 | |
| 0.1.20 | 4 / 9 | |
| 0.1.19 | 4 / 9 |
v0.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.