@xylabs/toolchain
Unified TypeScript toolchain for XY Labs — build, lint, test, deploy with auto-detected package manager and React support
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): yaml is a well-established, safe library; addition is benign for this toolchain package. | ai | |
| dependencies | unvetted-dep:license-checker | AI (dependencies): license-checker is a well-known utility; appropriate runtime dep for a build toolchain. | ai | |
| dependencies | unvetted-dep:parse-git-config | AI (dependencies): parse-git-config is a well-known utility; appropriate for a build toolchain. | ai | |
| dependencies | unvetted-dep:types-package-json | AI (dependencies): types-package-json is a type definitions package; safe for a TypeScript toolchain. | ai | |
| phantom-deps | phantom-dep:vite | AI (phantom-deps): vite is a legitimate runtime dep for this toolchain; loaded via config convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is framework-scoped and loaded by convention in TypeScript toolchains. | ai |
Versions (showing 51 of 61)
| Version | Deps | Published |
|---|---|---|
| 8.1.16 | 18 / 16 | |
| 8.1.15 | 23 / 16 | |
| 8.1.14 | 23 / 16 | |
| 8.1.13 | 23 / 16 | |
| 8.1.12 | 23 / 18 | |
| 8.1.11 | 23 / 18 | |
| 8.1.10 | 23 / 18 | |
| 8.1.6 | 23 / 19 | |
| 8.1.5 | 23 / 19 | |
| 8.1.0 | 23 / 19 | |
| 8.0.10 | 22 / 18 | |
| 8.0.9 | 22 / 18 | |
| 8.0.7 | 22 / 18 | |
| 8.0.6 | 22 / 18 | |
| 8.0.4 | 22 / 18 | |
| 8.0.3 | 22 / 18 | |
| 8.0.2 | 22 / 18 | |
| 8.0.1 | 22 / 18 | |
| 8.0.0 | 22 / 18 | |
| 7.13.24 | 25 / 19 | |
| 7.13.23 | 25 / 19 | |
| 7.13.22 | 25 / 19 | |
| 7.13.21 | 25 / 19 | |
| 7.13.20 | 25 / 19 | |
| 7.13.19 | 25 / 19 | |
| 7.13.18 | 24 / 18 | |
| 7.13.17 | 24 / 18 | |
| 7.13.16 | 24 / 18 | |
| 7.13.15 | 24 / 18 | |
| 7.13.14 | 24 / 18 | |
| 7.13.13 | 25 / 18 | |
| 7.13.12 | 25 / 18 | |
| 7.13.11 | 25 / 18 | |
| 7.13.10 | 25 / 18 | |
| 7.13.9 | 25 / 18 | |
| 7.13.8 | 25 / 18 | |
| 7.13.7 | 25 / 18 | |
| 7.13.6 | 25 / 18 | |
| 7.13.5 | 25 / 18 | |
| 7.13.4 | 25 / 18 | |
| 7.13.3 | 25 / 18 | |
| 7.13.2 | 25 / 18 | |
| 7.13.1 | 25 / 18 | |
| 7.13.0 | 25 / 18 | |
| 7.12.3 | 25 / 14 | |
| 7.12.2 | 25 / 14 | |
| 7.12.1 | 25 / 14 | |
| 7.12.0 | 25 / 14 | |
| 7.11.12 | 25 / 14 | |
| 7.11.11 | 25 / 14 | |
| 7.11.10 | 25 / 14 |
v8.1.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atrouw.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.13.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atrouw) than the most recent previously approved version (xyo) on 2026-05-05, but atrouw is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v7.13.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atrouw) than the most recent previously approved version (xyo) on 2026-05-05, but atrouw is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v7.13.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atrouw) than the most recent previously approved version (xyo) on 2026-05-05, but atrouw is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v7.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (atrouw) than the most recent previously approved version (xyo) on 2026-05-05, but atrouw is listed as a maintainer on prior approved versions (matched on email). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v7.12.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.12.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.