pqb
Postgres query builder
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publishing with SLSA attestation; consistent with CI/CD automation for this established package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation and no code changes confirm legitimate publish despite dormancy gap. | ai | |
| dependencies | unvetted-dep:orchid-core | AI (dependencies): orchid-core is a sibling package in the same orchid-orm monorepo; stable internal dependency. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): pqb = Postgres Query Builder; established package with 478 versions, not a typosquat of pg. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): pqb is unrelated to qs; name is an acronym for its documented purpose. | ai | |
| phantom-deps | phantom-dep:@types/pg | AI (phantom-deps): @types/pg is a runtime dependency used for type declarations with the pg peer dep; not a phantom dep concern. | ai |
Versions (showing 51 of 61)
| Version | Deps | Published |
|---|---|---|
| 0.66.8 | 1 / 2 | |
| 0.66.7 | 1 / 2 | |
| 0.66.6 | 1 / 2 | |
| 0.66.5 | 1 / 2 | |
| 0.66.4 | 1 / 2 | |
| 0.66.3 | 1 / 2 | |
| 0.66.2 | 1 / 2 | |
| 0.66.1 | 1 / 2 | |
| 0.66.0 | 1 / 2 | |
| 0.65.6 | 1 / 2 | |
| 0.65.5 | 1 / 2 | |
| 0.65.4 | 1 / 2 | |
| 0.65.3 | 1 / 2 | |
| 0.65.2 | 1 / 2 | |
| 0.65.1 | 1 / 2 | |
| 0.65.0 | 1 / 2 | |
| 0.64.1 | 1 / 2 | |
| 0.64.0 | 1 / 2 | |
| 0.63.0 | 1 / 2 | |
| 0.62.1 | 1 / 2 | |
| 0.61.13 | 1 / 2 | |
| 0.61.12 | 1 / 2 | |
| 0.61.11 | 1 / 2 | |
| 0.61.10 | 1 / 2 | |
| 0.61.9 | 1 / 2 | |
| 0.61.7 | 1 / 2 | |
| 0.61.5 | 1 / 2 | |
| 0.61.4 | 1 / 2 | |
| 0.61.3 | 1 / 2 | |
| 0.61.2 | 1 / 2 | |
| 0.61.1 | 1 / 2 | |
| 0.61.0 | 1 / 2 | |
| 0.60.6 | 1 / 2 | |
| 0.60.5 | 1 / 2 | |
| 0.60.4 | 1 / 2 | |
| 0.60.3 | 1 / 2 | |
| 0.60.2 | 1 / 2 | |
| 0.60.1 | 1 / 2 | |
| 0.60.0 | 1 / 2 | |
| 0.59.3 | 1 / 2 | |
| 0.59.2 | 1 / 2 | |
| 0.59.1 | 1 / 2 | |
| 0.59.0 | 1 / 2 | |
| 0.58.5 | 1 / 2 | |
| 0.58.4 | 1 / 2 | |
| 0.58.3 | 1 / 2 | |
| 0.58.2 | 1 / 2 | |
| 0.58.1 | 1 / 2 | |
| 0.58.0 | 1 / 2 | |
| 0.57.7 | 1 / 2 | |
| 0.57.6 | 1 / 2 |
v0.66.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.66.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.65.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.64.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.63.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.62.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.10
2 findingsThis version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.9
2 findingsThis version was published by a different npm account than previous versions on 2026-03-15. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.61.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.61.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.60.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.59.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.59.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.59.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.59.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.58.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.57.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.57.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.