didwebvh-ts — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

decentralized_identity_foundation

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher is GitHub Actions CI for the same decentralized-identity org; SLSA attestation confirms legitimate automated publish.	ai	2026/05/02
publish-pattern	new-deps-added	AI (publish-pattern): cookie, glob, js-yaml are established packages with no known malicious history; phantom-dep findings suggest limited direct use.	ai	2026/05/02
phantom-deps	phantom-dep:js-yaml	AI (phantom-deps): Used in bundled output; stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:glob	AI (phantom-deps): Used in build scripts/bundled output; phantom-dep heuristic fires on compiled packages.	ai	2026/04/28
phantom-deps	phantom-dep:json-canonicalize	AI (phantom-deps): Used in bundled output; stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:@noble/hashes	AI (phantom-deps): Cryptographic dep used in bundled output; stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:cookie	AI (phantom-deps): Used in bundled output; stable false positive for this package.	ai	2026/04/28

Versions (showing 20 of 20)

Version	Deps	Published
2.7.5	5 / 7	2026-05-20
2.7.4	5 / 10	2026-04-24
2.7.3	5 / 10	2026-04-18
2.7.2	5 / 10	2026-03-03
2.7.1	5 / 10	2026-01-24
2.5.6	2 / 9	2025-11-12
2.5.5	2 / 9	2025-10-08
2.5.4	2 / 9	2025-09-02
2.5.3	2 / 9	2025-08-15
2.5.2	2 / 9	2025-08-14
2.5.1	2 / 9	2025-08-14
2.5.0	2 / 9	2025-08-14
2.4.1	2 / 9	2025-07-23
2.4.0	2 / 9	2025-07-16
2.3.2	2 / 9	2025-06-24
2.3.1	2 / 9	2025-06-24
2.3.0	2 / 9	2025-06-23
2.2.0	2 / 9	2025-06-18
2.1.0	2 / 9	2025-05-23
2.0.2	1 / 9	2025-05-23

v2.7.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.2

2 findings

HIGH Publisher changed: decentralized_identity_foundation → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.1

2 findings

HIGH Publisher changed: decentralized_identity_foundation → GitHub Actions (on 2026-01-24) provenance

This version was published by a different npm account than previous versions on 2026-01-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.