koishi — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

shigma

botchatbotdiscordtelegramcordisframework

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:child-process-import	AI (semgrep): Koishi is a CLI chatbot framework; child_process is used to spawn worker processes — a documented and expected pattern for this package across all versions.	ai	2026/04/26
phantom-deps	phantom-dep:@satorijs/core	AI (phantom-deps): Koishi uses a plugin architecture; @satorijs/core is a declared runtime dep loaded dynamically, not via static import. Expected pattern for this framework.	ai	2026/04/26
phantom-deps	phantom-dep:@koishijs/plugin-http	AI (phantom-deps): Plugin dependency loaded dynamically via Koishi's plugin system, not via static import. Expected pattern for this framework.	ai	2026/04/26
phantom-deps	phantom-dep:@koishijs/plugin-server	AI (phantom-deps): Plugin dependency loaded dynamically via Koishi's plugin system, not via static import. Expected pattern for this framework.	ai	2026/04/26
phantom-deps	phantom-dep:@koishijs/plugin-proxy-agent	AI (phantom-deps): Plugin dependency loaded dynamically via Koishi's plugin system, not via static import. Expected pattern for this framework.	ai	2026/04/26

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.