arikajs
The ArikaJS Framework.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): No provenance is common (~88% of npm); no other risk signals present. | ai | |
| phantom-deps | phantom-dep:@arikajs/dispatcher | AI (phantom-deps): Internal scoped package referenced via config; stable false positive. | ai | |
| phantom-deps | phantom-dep:busboy | AI (phantom-deps): Framework dependency declared for downstream use; not directly imported in this entry package. | ai | |
| phantom-deps | phantom-dep:@types/serve-static | AI (phantom-deps): Type-only package; framework-scoped, loaded by convention. | ai | |
| phantom-deps | phantom-dep:@arikajs/console | AI (phantom-deps): Same framework aggregator pattern. | ai | |
| phantom-deps | phantom-dep:@arikajs/cli | AI (phantom-deps): Framework aggregator; scoped deps referenced in config, not directly imported — stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@arikajs/authorization | AI (phantom-deps): Same framework aggregator pattern. | ai | |
| phantom-deps | phantom-dep:@arikajs/storage | AI (phantom-deps): Same framework aggregator pattern. | ai | |
| phantom-deps | phantom-dep:@arikajs/mail | AI (phantom-deps): Same framework aggregator pattern; config-referenced dep, not a real phantom. | ai | |
| phantom-deps | phantom-dep:@arikajs/view | AI (phantom-deps): Same framework aggregator pattern. | ai | |
| phantom-deps | phantom-dep:@arikajs/events | AI (phantom-deps): Same framework aggregator pattern. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 0.10.19 | 26 / 3 | |
| 0.10.17 | 26 / 3 | |
| 0.10.16 | 26 / 3 | |
| 0.10.15 | 26 / 3 | |
| 0.10.14 | 26 / 3 | |
| 0.10.13 | 26 / 3 | |
| 0.10.12 | 26 / 3 | |
| 0.10.11 | 26 / 3 | |
| 0.10.10 | 26 / 3 | |
| 0.10.9 | 26 / 3 | |
| 0.10.8 | 26 / 3 | |
| 0.10.3 | 25 / 3 | |
| 0.10.2 | 24 / 3 | |
| 0.10.1 | 24 / 3 | |
| 0.10.0 | 24 / 3 | |
| 0.0.8 | 25 / 3 | |
| 0.0.6 | 25 / 3 | |
| 0.0.5 | 25 / 3 | |
| 0.0.4 | 19 / 2 | |
| 0.0.2 | 19 / 2 | |
| 0.0.1 | 19 / 2 |
v0.10.19
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: prakashtank.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.