← Home

cloudevents

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

grantlanceballlholmquist

Keywords

eventscloudeventssdkjavascriptcncf

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:base64-decode AI (semgrep): Fires on webpack UMD bundle output (bundles/cloudevents.js). Standard build artifact from the official CNCF CloudEvents SDK; no malicious payload present. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() usage is part of webpack's standard module runtime in the UMD bundle. Expected and benign for this package. ai
phantom-deps phantom-dep:process AI (phantom-deps): The 'process' package is a legitimate Node.js polyfill used in the browser bundle build; correctly listed as a runtime dependency. ai

Versions (showing 2 of 2)

Version Deps Published
10.0.0 6 / 36
7.0.2 6 / 36

v10.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.