← Home

@vertesia/workflow

npm Repository

Vertesia workflow DSL

13
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

bstefanescuaregnier-vertesialeonruggieromvachette_vertesiahq_commincong-vertesia

Keywords

vertesiaworkflowdsltemporaliollmaiagentstypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding is used for image data URI processing in media activities — legitimate workflow use. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in video preparation activity (prepareVideo.js) — expected for a media-processing workflow DSL. ai
phantom-deps phantom-dep:sharp AI (phantom-deps): sharp is a native image-processing dep; may be loaded conditionally or via dynamic require in media activities. ai
phantom-deps phantom-dep:seedrandom AI (phantom-deps): Referenced in config files per analyzer note; stable false positive for this package. ai
phantom-deps phantom-dep:@types/json-schema AI (phantom-deps): Type-only package loaded by framework convention; stable false positive. ai

Versions (showing 13 of 13)

Version Deps Published
1.3.0 23 / 10
1.2.0 23 / 10
1.1.0 23 / 10
1.0.0 23 / 10
0.82.4 24 / 10
0.81.1 24 / 10
0.81.0 24 / 10
0.80.0 24 / 10
0.79.4 24 / 10
0.79.3 24 / 10
0.79.2 24 / 10
0.79.1 24 / 10
0.79.0 24 / 10

v1.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.81.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.81.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.80.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.79.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.79.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.79.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.79.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.79.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.