@wix/monitoring-types — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

yoavwix-cishahatawixnpmwix-ambassadorwix-ci-publisherwix-bi-publishergalil-teamusability-sessionsyurynixydanivmayacoamitde007haimbrum-wixyoungshinobiethanpshlomitc-wixarielhwix-org-headlessfalconcinadavlacroir-wixdorchaouat

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): Wix org routine maintainer rotation via CI publisher; not indicative of takeover.	ai	2026/06/02
maintainer-change	maintainer-removed	AI (maintainer-change): Same org rotation context; removal paired with addition is expected for Wix internal packages.	ai	2026/06/02
publish-pattern	dormant-publish	AI (publish-pattern): Types-only internal package; long dormancy between releases is normal for stable type definitions.	ai	2026/06/02
bogus-package	bogus-package	AI (bogus-package): Wix internal CI-published package; missing metadata is a known pattern across their SDK packages, not a spam/malware signal.	ai	2026/05/27
npm-metadata	no-description	AI (npm-metadata): Wix internal packages consistently omit descriptions; stable false positive for this publisher.	ai	2026/05/27