aegir
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Config-referenced utility; stable pattern for this build-tool package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): deno dep added to support Deno test target matching existing test:deno script — legitimate feature addition. | ai | |
| dependencies | unvetted-dep:playwright-test | AI (dependencies): playwright-test is aegir's browser test runner; long-standing dependency in this project management tool. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-conventionalcommits | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/git | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/npm | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:eslint-formatter-unix | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:npm-package-json-lint | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:typedoc-plugin-mermaid | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/github | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:typedoc-plugin-mdn-links | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/changelog | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:typedoc-plugin-missing-exports | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/commit-analyzer | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:@semantic-release/release-notes-generator | AI (phantom-deps): Same structural pattern — declared for downstream use, not direct import. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): Referenced in config, not imported; stable pattern for aegir. | ai | |
| phantom-deps | phantom-dep:deno | AI (phantom-deps): Deno is invoked as a CLI tool via config/scripts, not imported directly; consistent with aegir's toolchain pattern. | ai | |
| phantom-deps | phantom-dep:path | AI (phantom-deps): Referenced in config, not imported; stable pattern for aegir. | ai | |
| phantom-deps | phantom-dep:@types/chai-as-promised | AI (phantom-deps): Type-only package loaded by convention. | ai | |
| phantom-deps | phantom-dep:source-map-support | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:c8 | AI (phantom-deps): aegir is a meta-tooling package; deps are invoked via CLI/config, not direct imports. | ai | |
| phantom-deps | phantom-dep:nyc | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:mocha | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:electron-mocha | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:playwright-test | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:semantic-release | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:semantic-release-monorepo | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:cspell | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:p-map | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:tempy | AI (phantom-deps): Same meta-tooling pattern; invoked via config. | ai | |
| phantom-deps | phantom-dep:react-native-test-runner | AI (phantom-deps): Platform-specific binary invoked via config, not imported. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): Type-only package loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type-only package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/mocha | AI (phantom-deps): Type-only package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/chai-string | AI (phantom-deps): Type-only package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@types/chai-subset | AI (phantom-deps): Type-only package loaded by convention. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP 127.0.0.1 appears only in JSDoc example code for the echo-server utility; not a real network call. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 48.0.12 | 95 / 18 | |
| 48.0.11 | 94 / 17 | |
| 48.0.10 | 94 / 17 | |
| 48.0.7 | 94 / 17 | |
| 48.0.6 | 94 / 17 | |
| 48.0.5 | 94 / 17 | |
| 48.0.2 | 94 / 17 | |
| 48.0.0 | 94 / 17 | |
| 47.2.0 | 94 / 17 | |
| 47.1.7 | 93 / 17 | |
| 47.1.6 | 93 / 17 | |
| 47.1.5 | 93 / 17 | |
| 47.1.2 | 93 / 17 | |
| 47.1.1 | 93 / 17 | |
| 47.1.0 | 93 / 17 | |
| 47.0.23 | 93 / 17 | |
| 47.0.21 | 93 / 17 | |
| 47.0.19 | 93 / 17 | |
| 47.0.18 | 93 / 17 | |
| 47.0.14 | 93 / 17 | |
| 47.0.12 | 93 / 17 | |
| 47.0.9 | 92 / 17 |
v48.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v48.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v47.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.