@verii/server-mockvendor

Mock Vendor backend

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

lfdt-npmhyperledger-ghci

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @verii/http-client replaces @verii/request — an internal same-org dep swap in a coordinated monorepo release. Not an external unknown dependency.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): Publisher changed from lfdt-npm to GitHub Actions as part of org-wide CI/CD migration with SLSA provenance attestation. This is a supply chain improvement, not a compromise.	ai	2026/04/27
phantom-deps	phantom-dep:mongodb	AI (phantom-deps): mongodb is used transitively via spence-mongo-repos; config-file reference without direct import is expected in this architecture.	ai	2026/04/27
phantom-deps	phantom-dep:@fastify/jwt	AI (phantom-deps): Fastify plugin registered via config/autoload pattern, not direct import. Stable false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@verii/did-doc	AI (phantom-deps): Same-org sibling package; used indirectly. Stable false positive for this monorepo package.	ai	2026/04/27
phantom-deps	phantom-dep:fastify-plugin	AI (phantom-deps): Fastify plugin helper referenced in config; stable false positive for this Fastify-based package.	ai	2026/04/27
phantom-deps	phantom-dep:@fastify/swagger	AI (phantom-deps): Fastify plugin registered via autoload/config pattern. Stable false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@fastify/sensible	AI (phantom-deps): Fastify plugin registered via autoload/config pattern. Stable false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@fastify/swagger-ui	AI (phantom-deps): Fastify plugin registered via autoload/config pattern. Stable false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:@verii/fastify-plugins	AI (phantom-deps): Same-org sibling package used indirectly. Stable false positive for this monorepo package.	ai	2026/04/27
phantom-deps	phantom-dep:@fastify/helmet	AI (phantom-deps): Fastify plugin registered via autoload/config pattern. Stable false positive for this package.	ai	2026/04/27
phantom-deps	phantom-dep:fastify	AI (phantom-deps): Fastify apps commonly register plugins via autoload/config rather than direct imports; phantom-dep is a stable false positive for this Fastify-based package.	ai	2026/04/27
provenance	slsa-provenance	AI (provenance): Package consistently published via CI/CD with SLSA provenance attestation; this is a stable positive signal for the @verii org.	ai	2026/04/25

Versions (showing 14 of 14)

Version	Deps	Published
1.1.3	26 / 18	2026-04-26
1.1.2	26 / 18	2026-04-23
1.1.1	26 / 18	2026-04-21
1.1.0	26 / 18	2026-04-17
1.0.9	26 / 17	2025-12-15
1.0.8	26 / 17	2025-12-10
1.0.7	26 / 17	2025-11-04
1.0.6	26 / 17	2025-10-28
1.0.5	26 / 17	2025-10-23
1.0.4	26 / 17	2025-10-09
1.0.3	26 / 17	2025-10-01
1.0.2	26 / 17	2025-10-01
1.0.1	26 / 17	2025-09-28
1.0.0	26 / 17	2025-09-10

v1.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.