powerlines
The "framework framework" that simplifies modern dev tool usage, generates virtual (or actual) code modules, and improves DX across the board.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@jridgewell/sourcemap-codec | AI (phantom-deps): Config-referenced dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:locate-character | AI (phantom-deps): Config-referenced dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@stryke/convert | AI (phantom-deps): First-party @stryke scoped dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@stryke/env | AI (phantom-deps): First-party @stryke scoped dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:unplugin | AI (phantom-deps): Declared dep; used indirectly via @powerlines/unplugin integration layer. | ai | |
| phantom-deps | phantom-dep:defu | AI (phantom-deps): Declared in package.json deps; likely re-exported or used indirectly via sub-packages in this monorepo. | ai | |
| phantom-deps | phantom-dep:@stryke/fs | AI (phantom-deps): First-party @stryke scoped dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): First-party @storm-software scoped dep; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/plugin-utils.d.cts | AI (source-diff): File is a TypeScript declaration file with long bundled import lines, not obfuscated executable code. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation; legitimate CI/CD migration for this org. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-react-jsx | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-typescript | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-class-properties | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-typescript | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-export-namespace-from | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-import-assertions | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-jsx | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Framework-scoped Babel preset; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/helper-simple-access | AI (phantom-deps): Framework-scoped Babel helper; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/helper-module-imports | AI (phantom-deps): Framework-scoped Babel helper; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@babel/helper-module-transforms | AI (phantom-deps): Framework-scoped Babel helper; loaded by convention in build tools. | ai | |
| phantom-deps | phantom-dep:@storm-software/esbuild | AI (phantom-deps): Config-referenced tool; stable pattern for this build-tool framework. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Framework-scoped Babel plugin; loaded by convention in build tools. | ai | |
| dependencies | unvetted-dep:@storm-software/tsup | AI (dependencies): First-party Storm Software package from the same publisher org with 233 approved packages; stable for this package. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): powerlines is a build framework that loads Babel plugins by convention; phantom Babel deps are expected and stable across versions. | ai | |
| phantom-deps | phantom-dep:@babel/template | AI (phantom-deps): Framework-scoped Babel package loaded by convention; expected for this build framework. | ai | |
| phantom-deps | phantom-dep:@babel/generator | AI (phantom-deps): Framework-scoped Babel package loaded by convention; expected for this build framework. | ai | |
| phantom-deps | phantom-dep:@alloy-js/babel-plugin | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:@alloy-js/babel-preset | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:@microsoft/tsdoc-config | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:@microsoft/api-extractor | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/utils | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:nanotar | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:github-slugger | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:babel-plugin-parameter-decorator | AI (phantom-deps): Config-referenced Babel plugin for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:babel-dead-code-elimination | AI (phantom-deps): Config-referenced Babel plugin for this build framework; phantom dep pattern is stable. | ai | |
| phantom-deps | phantom-dep:@alloy-js/babel-plugin-jsx-dom-expressions | AI (phantom-deps): Config-referenced package for this build framework; phantom dep pattern is stable. | ai | |
| dependencies | unvetted-dep:@storm-software/esbuild | AI (dependencies): First-party Storm Software package from the same publisher org with 233 approved packages; stable for this package. | ai | |
| dependencies | unvetted-dep:babel-plugin-parameter-decorator | AI (dependencies): Well-known Babel plugin for TypeScript decorator support; no security concerns for this build framework. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Handlebars is a well-known templating library used legitimately in this code-generation framework. Constraint ^4.7.8 starts at a patched version past known prototype pollution CVEs. | ai | |
| phantom-deps | phantom-dep:@cacheable/memory | AI (phantom-deps): @cacheable/memory is a runtime dep used via dynamic/config-driven loading in this plugin framework; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:oxc-resolver | AI (phantom-deps): oxc-resolver is a runtime dep used via dynamic/config-driven loading in this plugin framework; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:unimport | AI (phantom-deps): unimport is a runtime dep used via dynamic/config-driven loading in this plugin framework; not directly imported but legitimately declared. | ai | |
| dependencies | unvetted-dep:@storm-software/config | AI (dependencies): @storm-software/* packages are first-party Storm Software org packages, consistent with monorepo publishing pattern. | ai | |
| dependencies | unvetted-dep:@powerlines/engine | AI (dependencies): @powerlines/* packages are first-party packages from the same Storm Software monorepo as powerlines itself. | ai | |
| dependencies | unvetted-dep:@powerlines/core | AI (dependencies): @powerlines/* packages are first-party packages from the same Storm Software monorepo as powerlines itself. | ai | |
| dependencies | unvetted-dep:@stryke/convert | AI (dependencies): @stryke/* packages are first-party Storm Software org packages, consistent with monorepo publishing pattern for this package family. | ai | |
| dependencies | unvetted-dep:@stryke/fs | AI (dependencies): @stryke/* packages are first-party Storm Software org packages, consistent with monorepo publishing pattern for this package family. | ai | |
| dependencies | unvetted-dep:@stryke/env | AI (dependencies): @stryke/* packages are first-party Storm Software org packages, consistent with monorepo publishing pattern for this package family. | ai | |
| phantom-deps | phantom-dep:@storm-software/config | AI (phantom-deps): Referenced in config files but not directly imported is expected behavior for a config package in a monorepo build tool context. | ai | |
| phantom-deps | phantom-dep:@babel/types | AI (phantom-deps): @babel/types is a well-known package loaded by convention in build tooling; phantom dep finding is expected for this type of framework package. | ai | |
| dependencies | unvetted-dep:@storm-software/config-tools | AI (dependencies): @storm-software/* packages are first-party Storm Software org packages, consistent with monorepo publishing pattern. | ai |
Versions (showing 51 of 190)
| Version | Deps | Published |
|---|---|---|
| 0.47.124 | 12 / 5 | |
| 0.47.123 | 12 / 5 | |
| 0.47.122 | 12 / 5 | |
| 0.47.121 | 12 / 5 | |
| 0.47.120 | 12 / 5 | |
| 0.47.119 | 12 / 5 | |
| 0.47.118 | 12 / 5 | |
| 0.47.117 | 12 / 5 | |
| 0.47.116 | 12 / 5 | |
| 0.47.115 | 12 / 5 | |
| 0.47.114 | 12 / 5 | |
| 0.47.113 | 12 / 5 | |
| 0.47.112 | 12 / 5 | |
| 0.47.111 | 12 / 5 | |
| 0.47.110 | 12 / 5 | |
| 0.47.109 | 12 / 5 | |
| 0.47.108 | 12 / 5 | |
| 0.47.107 | 12 / 5 | |
| 0.47.106 | 12 / 5 | |
| 0.47.105 | 12 / 5 | |
| 0.47.104 | 12 / 5 | |
| 0.47.103 | 12 / 5 | |
| 0.47.102 | 12 / 5 | |
| 0.47.101 | 12 / 5 | |
| 0.47.100 | 12 / 5 | |
| 0.47.99 | 12 / 5 | |
| 0.47.98 | 12 / 5 | |
| 0.47.97 | 12 / 5 | |
| 0.47.96 | 12 / 5 | |
| 0.47.95 | 12 / 5 | |
| 0.47.94 | 12 / 5 | |
| 0.47.93 | 12 / 5 | |
| 0.47.92 | 12 / 5 | |
| 0.47.91 | 12 / 5 | |
| 0.47.90 | 12 / 5 | |
| 0.47.89 | 12 / 5 | |
| 0.47.88 | 12 / 5 | |
| 0.47.87 | 12 / 5 | |
| 0.47.86 | 12 / 5 | |
| 0.47.85 | 12 / 5 | |
| 0.47.84 | 12 / 5 | |
| 0.47.83 | 12 / 5 | |
| 0.47.81 | 12 / 5 | |
| 0.47.80 | 12 / 5 | |
| 0.47.79 | 12 / 5 | |
| 0.47.78 | 12 / 5 | |
| 0.47.77 | 12 / 5 | |
| 0.47.76 | 11 / 5 | |
| 0.47.75 | 11 / 5 | |
| 0.47.74 | 11 / 5 | |
| 0.47.73 | 11 / 5 |
v0.47.124
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.123
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.122
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.121
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.120
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.119
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.118
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.117
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.116
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.115
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.114
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.113
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.112
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.111
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.110
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.109
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.108
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.107
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.106
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.105
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.104
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.103
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.102
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.101
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.100
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.99
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.98
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.97
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.96
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.95
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.94
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.93
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.91
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.90
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.89
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.88
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.87
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.47.86
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-30, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.85
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-28, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.84
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-28, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.83
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-28, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.81
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-28, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.80
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-28, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.79
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.78
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.77
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.76
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.75
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.74
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-27, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.47.73
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-26, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.