@web-atoms/entity
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA provenance attestation; legitimate automation handoff for this org's packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): 214-version established package; sparse README/keywords are a style choice, not spam. | ai | |
| phantom-deps | phantom-dep:@web-atoms/module-loader | AI (phantom-deps): Same org scope; likely used transitively or at runtime rather than via direct import. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): reflect-metadata is a known implicit runtime dep for TypeScript decorators; stable false positive. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Standard Reflect.get usage for proxy/decorator pattern in entity change tracking; not obfuscation. | ai | |
| phantom-deps | phantom-dep:@web-atoms/web-controls | AI (phantom-deps): Same-org package; phantom-dep heuristic unreliable for peer/optional usage patterns. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval used in MockBaseEntityService to build filter lambdas from query strings in test mocks; not production attack surface. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in test.js test runner loading local .js files; not a supply-chain risk. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 2.6.8 | 4 / 5 | |
| 2.5.11 | 5 / 3 | |
| 2.5.10 | 5 / 3 | |
| 2.5.8 | 5 / 3 | |
| 2.5.7 | 5 / 3 | |
| 2.5.6 | 5 / 3 | |
| 2.5.5 | 5 / 3 | |
| 2.5.4 | 5 / 3 | |
| 2.5.2 | 5 / 3 | |
| 2.4.89 | 5 / 3 | |
| 2.4.88 | 5 / 3 | |
| 2.4.87 | 5 / 3 | |
| 2.4.86 | 5 / 3 | |
| 2.4.85 | 5 / 3 | |
| 2.4.84 | 5 / 3 | |
| 2.4.83 | 5 / 3 |
v2.6.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.10
2 findingsThis version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.8
2 findingsThis version was published by a different npm account than previous versions on 2026-03-08. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.6
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.88
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.87
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.86
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.85
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.84
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.83
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.