playcademy — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

hbauereli-gooding

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@playcademy/edge-play	AI (phantom-deps): Sibling monorepo package; indirect usage expected.	ai	2026/05/18
phantom-deps	phantom-dep:colorette	AI (phantom-deps): Same as above — CLI tooling with bundled deps.	ai	2026/05/18
phantom-deps	phantom-dep:json-colorizer	AI (phantom-deps): Same as above — CLI tooling with bundled deps.	ai	2026/05/18
phantom-deps	phantom-dep:@hono/node-server	AI (phantom-deps): Used indirectly via bundled CLI; stable false positive for this package.	ai	2026/05/18
phantom-deps	phantom-dep:@inquirer/prompts	AI (phantom-deps): CLI prompts dependency; bundled usage pattern triggers phantom-dep heuristic.	ai	2026/05/18
phantom-deps	phantom-dep:@playcademy/utils	AI (phantom-deps): Sibling monorepo package; indirect usage expected.	ai	2026/05/18
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): CLI tool with config-file-driven deps; phantom-dep heuristic fires on bundled/indirect usage patterns.	ai	2026/05/18
phantom-deps	phantom-dep:hono	AI (phantom-deps): hono is a legitimate web framework; phantom detection is a false positive for this build-tool/CLI package that bundles deps via esbuild.	ai	2026/04/26
dependencies	unvetted-dep:miniflare	AI (dependencies): Miniflare is Cloudflare's official local Workers simulator; its use is consistent with this package's Cloudflare Workers-based tooling purpose.	ai	2026/04/26
phantom-deps	phantom-dep:open	AI (phantom-deps): open is a legitimate declared dependency; phantom detection likely reflects indirect usage in CLI code not statically traced.	ai	2026/04/26
phantom-deps	phantom-dep:dedent	AI (phantom-deps): dedent is a legitimate declared dependency; phantom detection likely reflects indirect usage not statically traced.	ai	2026/04/26
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a legitimate declared dependency for CLI tooling; phantom detection likely reflects indirect usage not statically traced.	ai	2026/04/26

Versions (showing 49 of 149)

Version	Deps	Published
0.13.13	14 / 11	2025-10-21
0.13.12	14 / 11	2025-10-21
0.13.11	14 / 11	2025-10-20
0.13.10	14 / 11	2025-10-20
0.13.9	14 / 11	2025-10-20
0.13.8	14 / 11	2025-10-20
0.13.7	14 / 11	2025-10-20
0.13.6	14 / 11	2025-10-20
0.13.5	14 / 11	2025-10-20
0.13.4	14 / 11	2025-10-20
0.13.3	14 / 11	2025-10-20
0.13.2	14 / 11	2025-10-20
0.13.1	14 / 11	2025-10-20
0.13.0	15 / 11	2025-10-20
0.12.9	15 / 10	2025-10-17
0.12.8	15 / 10	2025-10-17
0.12.7	15 / 10	2025-10-17
0.12.6	15 / 10	2025-10-17
0.12.5	15 / 10	2025-10-17
0.12.4	15 / 10	2025-10-17
0.12.3	15 / 10	2025-10-17
0.12.2	15 / 10	2025-10-17
0.12.1	15 / 10	2025-10-17
0.12.0	15 / 10	2025-10-17
0.11.14	11 / 9	2025-10-14
0.11.13	11 / 9	2025-10-14
0.11.12	11 / 9	2025-10-14
0.11.11	11 / 9	2025-10-14
0.11.10	11 / 9	2025-10-14
0.11.9	11 / 9	2025-10-14
0.11.8	11 / 9	2025-10-14
0.11.7	11 / 9	2025-10-14
0.11.6	11 / 9	2025-10-14
0.11.5	11 / 9	2025-10-14
0.11.4	11 / 9	2025-10-11
0.11.3	11 / 9	2025-10-10
0.11.2	11 / 8	2025-10-08
0.11.1	11 / 8	2025-10-08
0.11.0	11 / 8	2025-10-08
0.10.0	10 / 9	2025-10-07
0.9.0	10 / 9	2025-10-07
0.8.0	10 / 9	2025-10-07
0.7.0	10 / 9	2025-10-07
0.6.0	10 / 9	2025-10-07
0.5.0	10 / 9	2025-10-07
0.4.0	15 / 4	2025-10-06
0.3.0	15 / 4	2025-10-06
0.2.0	15 / 4	2025-10-06
0.1.0	15 / 4	2025-10-06