@well-played.gg/typescript-sdk

This is the official [WellPlayed](https://well-played.gg) Typescript SDK. It provides a set of tools to interract with WellPlayed's API.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

alexmog

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing is confirmed by SLSA provenance attestation; stable automation pattern for this package.	ai	2026/05/26
dependencies	unvetted-dep:apollo3-cache-persist	AI (dependencies): apollo3-cache-persist is a well-known Apollo cache persistence library; stable false positive for this package.	ai	2026/05/22
phantom-deps	phantom-dep:axios	AI (phantom-deps): Bundled SDK; axios declared as runtime dep, used internally even if not directly imported at top level.	ai	2026/04/29
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Bundled SDK; lodash declared as runtime dep, consistent with bundled output pattern.	ai	2026/04/29
phantom-deps	phantom-dep:graphql	AI (phantom-deps): graphql is a peer/runtime dep for Apollo-based SDK; phantom-dep is a false positive here.	ai	2026/04/29
phantom-deps	phantom-dep:apollo3-cache-persist	AI (phantom-deps): Declared runtime dep in a bundled SDK; phantom-dep heuristic is unreliable for bundled outputs.	ai	2026/04/29

Versions (showing 17 of 17)

Version	Deps	Published
1.4.5	6 / 9	2026-06-08
1.4.4	6 / 9	2026-04-27
1.4.3	6 / 9	2026-04-26
1.4.2	6 / 9	2026-04-25
1.4.1	6 / 9	2026-04-24
1.4.0	6 / 8	2026-04-12
1.3.4	6 / 8	2026-01-15
1.3.3	6 / 8	2026-01-15
1.3.2	6 / 8	2025-12-19
1.3.1	6 / 8	2025-12-18
1.3.0	6 / 8	2025-12-18
1.2.7	6 / 8	2025-08-10
1.2.6	6 / 8	2025-08-10
1.2.5	6 / 8	2025-08-10
1.2.4	6 / 8	2025-07-26
1.2.3	6 / 8	2025-07-26
1.2.2	6 / 8	2025-07-21

v1.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.3

2 findings

HIGH Publisher changed: alexmog → GitHub Actions (on 2026-04-26) provenance

This version was published by a different npm account than previous versions on 2026-04-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.