@vitessce/csv — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

keller-mark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): Vitessce monorepo publishes via GitHub Actions with SLSA attestation; publisher-changed to GitHub Actions is expected for CI-based publishing.	ai	2026/05/07
provenance	publisher-changed	AI (provenance): Transition from keller-mark to GitHub Actions reflects a legitimate CI/CD migration for the vitessce monorepo, backed by SLSA attestation.	ai	2026/05/07
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by CI-based publishing with SLSA provenance is consistent with a legitimate release cadence change, not a takeover.	ai	2026/05/07
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped @vitessce/ package in a known monorepo; cannot be a typosquat of 'qs'.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/constants-internal	AI (phantom-deps): Same-org sibling dep in monorepo; phantom-dep heuristic unreliable here.	ai	2026/05/02
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped @vitessce/ package in a known monorepo; cannot be a typosquat of 'ajv'.	ai	2026/05/02
phantom-deps	phantom-dep:d3-array	AI (phantom-deps): Monorepo build artifact; d3-array may be used transitively or in config files.	ai	2026/05/02

Versions (showing 46 of 46)

Version	Deps	Published
3.9.11	7 / 0	2026-05-29
3.9.10	7 / 0	2026-05-27
3.9.9	7 / 0	2026-05-20
3.9.8	7 / 0	2026-04-29
3.9.7	7 / 0	2026-04-10
3.9.6	7 / 0	2026-03-26
3.9.5	7 / 0	2026-02-23
3.9.4	7 / 0	2026-02-11
3.9.3	7 / 0	2026-02-11
3.9.2	7 / 0	2026-02-05
3.9.1	7 / 0	2026-01-27
3.9.0	7 / 0	2026-01-16
3.8.13	7 / 0	2025-12-14
3.8.10	7 / 0	2025-12-03
3.8.9	7 / 0	2025-11-20
3.8.8	7 / 0	2025-11-12
3.8.7	7 / 0	2025-11-12
3.8.6	7 / 0	2025-11-10
3.8.5	7 / 0	2025-10-25
3.8.4	7 / 0	2025-10-23
3.8.3	7 / 0	2025-10-07
3.8.2	7 / 0	2025-09-29
3.8.1	7 / 0	2025-09-18
3.8.0	7 / 0	2025-09-17
3.7.1	7 / 0	2025-09-17
3.7.0	7 / 0	2025-09-12
3.6.18	7 / 0	2025-08-21
3.6.17	7 / 0	2025-08-18
3.6.16	7 / 0	2025-08-14
3.6.15	7 / 0	2025-08-13
3.6.14	7 / 0	2025-08-11
3.6.13	7 / 0	2025-08-06
3.6.12	7 / 0	2025-08-05
3.6.11	7 / 0	2025-07-29
3.6.10	7 / 0	2025-07-25
3.6.9	7 / 0	2025-07-25
3.6.8	7 / 0	2025-07-25
3.6.7	6 / 0	2025-07-16
3.6.6	6 / 0	2025-07-15
3.6.5	6 / 0	2025-07-10
3.6.4	6 / 0	2025-07-03
3.6.3	6 / 0	2025-06-20
3.6.2	6 / 0	2025-06-05
3.6.1	6 / 0	2025-06-03
3.6.0	6 / 0	2025-06-02
3.5.12	6 / 0	2025-05-15

v3.9.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.7

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-04-10) provenance

This version was published by a different npm account than previous versions on 2026-04-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.6

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.5

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-02-23) provenance

This version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.4

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-02-11) provenance

This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.3

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-02-11) provenance

This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.1

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-01-27) provenance

This version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.0

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2026-01-16) provenance

This version was published by a different npm account than previous versions on 2026-01-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.13

2 findings

HIGH Publisher changed: keller-mark → GitHub Actions (on 2025-12-14) provenance

This version was published by a different npm account than previous versions on 2025-12-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.