@ttoss/config
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): pedro-arantes and pedroarantes are the same person (named in contributors); SLSA provenance confirms CI/CD publish. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): pedroarantes is the same author as pedro-arantes; account rename, not a takeover. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): pedro-arantes removed as part of account consolidation to pedroarantes; same individual. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy explained by account rename; SLSA provenance and clean diff confirm legitimate publish. | ai | |
| phantom-deps | phantom-dep:babel-plugin-formatjs | AI (phantom-deps): Config package references this in exported config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-import-meta | AI (phantom-deps): Config package references this in exported config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:identity-obj-proxy | AI (phantom-deps): Config package references this in Jest config exports; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Config package exports Babel presets by convention; not directly imported but intentionally re-exported. | ai | |
| phantom-deps | phantom-dep:@formatjs/ts-transformer | AI (phantom-deps): Config package references this in TS config exports; stable false positive. | ai | |
| phantom-deps | phantom-dep:@commitlint/config-conventional | AI (phantom-deps): Config package references this in commitlint config exports; stable false positive. | ai | |
| phantom-deps | phantom-dep:prettier-package-json | AI (phantom-deps): Config package references this in Prettier config exports; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Config package exports Babel presets by convention; not directly imported but intentionally re-exported. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Config package exports Babel presets by convention; not directly imported but intentionally re-exported. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Config package exports Babel plugins by convention; referenced in config files. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 1.37.12 | 12 / 6 | |
| 1.37.11 | 12 / 6 | |
| 1.37.10 | 12 / 6 | |
| 1.37.9 | 12 / 6 | |
| 1.37.8 | 12 / 6 | |
| 1.37.7 | 12 / 6 | |
| 1.37.6 | 12 / 6 | |
| 1.37.5 | 12 / 6 | |
| 1.37.2 | 12 / 6 | |
| 1.36.0 | 12 / 6 | |
| 1.35.12 | 12 / 6 | |
| 1.35.11 | 12 / 6 | |
| 1.35.10 | 12 / 6 | |
| 1.35.9 | 12 / 6 | |
| 1.35.8 | 12 / 6 | |
| 1.35.7 | 12 / 6 | |
| 1.35.6 | 12 / 6 | |
| 1.35.5 | 12 / 6 | |
| 1.35.4 | 12 / 6 |
v1.37.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.8
2 findingsThis version was published by a different npm account than previous versions on 2026-04-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.7
2 findingsThis version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.6
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.5
2 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.