@vertesia/create-plugin

CLI to create Vertesia plugins: UI plugins or tool servers

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

bstefanescuaregnier-vertesialeonruggieromvachette_vertesiahq_commincong-vertesia

Keywords

vertesiatool-serverclicreatetemplatescaffold

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publisher with SLSA attestation; legitimate automation handoff for this org.	ai	2026/05/26
semgrep	semgrep:env-spread	AI (semgrep): env copy is used solely to propagate npm registry config to pnpm; no exfiltration path.	ai	2026/05/22
semgrep	semgrep:eval-usage	AI (semgrep): eval() deserializes prompt validate functions from config strings; standard pattern for this CLI scaffolding tool.	ai	2026/04/29

Versions (showing 37 of 37)

Version	Deps	Published
1.3.0	4 / 4	2026-05-21
1.2.0	4 / 4	2026-05-06
1.1.0	4 / 4	2026-04-29
1.0.0	4 / 4	2026-03-27
0.82.4	4 / 4	2026-02-19
0.82.3	4 / 4	2026-02-19
0.82.2	3 / 4	2026-02-10
0.82.1	3 / 4	2026-02-06
0.82.0	3 / 4	2026-02-05
0.81.1	3 / 4	2026-01-20
0.81.0	3 / 4	2026-01-12
0.80.0	3 / 4	2025-12-15
0.79.4	2 / 9	2025-12-08
0.79.3	2 / 3	2025-11-24
0.79.2	2 / 3	2025-11-21
0.79.1	2 / 3	2025-11-18
0.79.0	2 / 3	2025-10-09
0.78.0	2 / 3	2025-08-25
0.77.0	2 / 3	2025-08-21
0.76.0	2 / 3	2025-08-20
0.75.0	2 / 3	2025-08-15
0.74.0	2 / 3	2025-08-01
0.73.0	2 / 3	2025-07-31
0.72.0	2 / 3	2025-07-28
0.71.0	2 / 3	2025-07-22
0.70.0	2 / 3	2025-07-21
0.69.0	2 / 3	2025-07-17
0.68.0	2 / 3	2025-07-17
0.67.0	2 / 3	2025-06-27
0.66.0	2 / 3	2025-06-25
0.65.0	2 / 3	2025-06-10
0.64.0	2 / 3	2025-06-07
0.63.0	2 / 3	2025-06-07
0.62.0	2 / 3	2025-06-06
0.61.0	2 / 3	2025-06-04
0.60.0	2 / 3	2025-05-26
0.59.0	2 / 3	2025-05-26

v1.3.0

2 findings

HIGH env-spread: lib/package-manager.js:8 semgrep

Spreading entire process.env into an object — may capture all secrets 6 | import prompts from 'prompts'; 7 | export function buildPackageManagerEnv(packageManager) { > 8 | const env = { ...process.env }; 9 | if (packageManager === 'pnpm' && !env.pnpm_config_registry && env.npm_config_registry) { 10 | env.pnpm_config_registry = env.npm_config_registry;

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.82.3

2 findings

HIGH Publisher changed: mincong-vertesia → GitHub Actions (on 2026-02-19) provenance

This version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.82.2

2 findings

HIGH Publisher changed: mincong-vertesia → GitHub Actions (on 2026-02-10) provenance

This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.82.1

2 findings

HIGH Publisher changed: mincong-vertesia → GitHub Actions (on 2026-02-06) provenance

This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.82.0

2 findings

HIGH Publisher changed: mincong-vertesia → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.81.1

2 findings

HIGH Publisher changed: mincong-vertesia → bstefanescu (on 2026-01-20) provenance

This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.