← Home

sqlite-vec

npm Repository Homepage
3
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

alex.garcia

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): sqlite-vec is a legitimate SQLite extension by asg017. The thin payload and templated name shape are intentional — it's a platform-dispatch shim with per-platform optional deps. SLSA provenance confirms CI/CD publishing. ai
license uncommon-license:Apache AI (license): MIT OR Apache dual-license is a standard open-source choice; the 'uncommon' flag is a false positive from the dual-license syntax. ai

Versions (showing 3 of 3)

Version Deps Published
0.1.9 0 / 0
0.1.8 0 / 0
0.1.7 0 / 0

v0.1.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.8

2 findings
HIGH Low-value / spam package indicators (4 signals, score 7) bogus-package

Matched 4 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'alex.garcia' owns 115 packages, ≥70% share a templated name shape. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section. • [S_NO_KEYWORDS] No keywords declared. • [S_TINY_PAYLOAD] Tiny payload: 3 code file(s), 4004 bytes total.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.