@verana-labs/vs-agent-model
`@verana-labs/vs-agent-model` # VS Agent Model
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @credo-ts/didcomm is the canonical DIDComm module from the Credo-TS project, consistent with existing @credo-ts/core dependency. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publisher backed by SLSA Sigstore attestation; consistent with legitimate automation adoption. | ai | |
| dependencies | unvetted-dep:@2060.io/credo-ts-didcomm-mrtd | AI (dependencies): Specialized DIDComm/MRTD credential package consistent with this SSI-domain package's use case; no install scripts or malicious indicators. | ai | |
| dependencies | unvetted-dep:@2060.io/credo-ts-didcomm-receipts | AI (dependencies): Specialized DIDComm receipts package consistent with this SSI-domain package's use case; no install scripts or malicious indicators. | ai | |
| provenance | no-provenance | AI (provenance): Package is part of the active 2060.io/vs-agent project; lack of provenance is common and no other risk signals are present. | ai | |
| dependencies | unvetted-dep:mrz | AI (dependencies): mrz is a well-known machine-readable zone parsing library; its use is appropriate for an identity/credential agent model package. | ai | |
| dependencies | unvetted-dep:@credo-ts/core | AI (dependencies): @credo-ts/core is part of the established Credo-TS (Aries Framework JS) open-source SSI framework; legitimate dependency for this package's purpose. | ai | |
| dependencies | unvetted-dep:@credo-ts/didcomm | AI (dependencies): @credo-ts/didcomm is part of the Credo-TS SSI framework; legitimate DIDComm dependency for this agent model package. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 1.11.0 | 6 / 1 | |
| 1.10.1 | 7 / 2 | |
| 1.10.0 | 7 / 2 | |
| 1.9.2 | 7 / 2 | |
| 1.9.1 | 7 / 2 | |
| 1.8.1 | 7 / 2 | |
| 1.8.0 | 7 / 2 | |
| 1.7.3 | 7 / 2 | |
| 1.7.1 | 6 / 2 | |
| 1.7.0 | 6 / 2 | |
| 1.6.0 | 6 / 2 |
v1.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.