node-ical — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

apollon77jens-maus

Keywords

icalicscalendarnodejs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; repo unchanged.	ai	2026/05/19

Versions (showing 17 of 17)

Version	Deps	Published
0.26.1	2 / 10	2026-05-02
0.26.0	2 / 10	2026-04-03
0.25.6	2 / 10	2026-03-13
0.25.5	2 / 10	2026-03-06
0.25.4	2 / 10	2026-02-22
0.25.3	1 / 10	2026-02-18
0.25.2	1 / 10	2026-02-16
0.25.1	1 / 10	2026-02-06
0.25.0	1 / 9	2026-02-03
0.24.2	2 / 9	2026-02-01
0.24.1	2 / 9	2026-01-31
0.24.0	2 / 9	2026-01-27
0.23.1	2 / 9	2026-01-11
0.23.0	2 / 9	2026-01-10
0.22.1	1 / 9	2025-10-24
0.22.0	1 / 9	2025-10-19
0.21.0	2 / 5	2025-09-15

v0.26.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.6

2 findings

HIGH Publisher changed: jens-maus → GitHub Actions (on 2026-03-13) provenance

This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.5

2 findings

HIGH Publisher changed: jens-maus → GitHub Actions (on 2026-03-06) provenance

This version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.4

2 findings

HIGH Publisher changed: jens-maus → GitHub Actions (on 2026-02-22) provenance

This version was published by a different npm account than previous versions on 2026-02-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.3

2 findings

HIGH Publisher changed: jens-maus → GitHub Actions (on 2026-02-18) provenance

This version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.2

2 findings

HIGH Publisher changed: jens-maus → GitHub Actions (on 2026-02-16) provenance

This version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.