supabase
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@vercel/detect-agent | AI (phantom-deps): Framework-scoped package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@napi-rs/keyring | AI (phantom-deps): Native keyring binding for credential storage in CLI. | ai | |
| phantom-deps | phantom-dep:@effect/atom-react | AI (phantom-deps): Effect ecosystem dep used transitively in the TUI layer. | ai | |
| phantom-deps | phantom-dep:@effect/platform-bun | AI (phantom-deps): Bun platform adapter for Effect; used at runtime. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance present; gitHead absence is a CI config change, not a security signal. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): Ink is a peer/transitive dep used by the TUI framework in this CLI monorepo. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): React is a peer dep of ink, required at runtime for the TUI. | ai | |
| phantom-deps | phantom-dep:effect | AI (phantom-deps): Effect is used transitively via @effect/* packages in this monorepo. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): Ink-spinner is a TUI component used in the CLI's ink-based UI. | ai | |
| phantom-deps | phantom-dep:posthog-node | AI (phantom-deps): Analytics dep referenced in config; stable for this CLI package. | ai | |
| phantom-deps | phantom-dep:@clack/prompts | AI (phantom-deps): CLI prompt library referenced in config; stable for this package. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher | AI (phantom-deps): File watcher for dev mode; referenced in config files. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Supabase CLI uses automated CI/CD releases; rapid successive publishes are expected and backed by SLSA provenance. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Supabase CLI is published via GitHub Actions with SLSA/Sigstore provenance attestation, ruling out account takeover. Dormancy pattern is a false positive for this verified CI/CD-published package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Supabase CLI's postinstall fetches platform-specific prebuilt binaries — a documented, stable install pattern consistent with its declared dependencies (node-fetch, tar, bin-links, https-proxy-agent). | ai |
Versions (showing 51 of 143)
| Version | Deps | Published |
|---|---|---|
| 2.105.0 | 0 / 34 | |
| 2.104.0 | 0 / 31 | |
| 2.103.0 | 0 / 31 | |
| 2.102.0 | 0 / 31 | |
| 2.101.0 | 0 / 28 | |
| 2.100.1 | 0 / 27 | |
| 2.100.0 | 0 / 27 | |
| 2.99.0 | 11 / 16 | |
| 2.98.2 | 4 / 0 | |
| 2.98.1 | 4 / 0 | |
| 2.98.0 | 4 / 0 | |
| 2.97.0 | 4 / 0 | |
| 2.96.0 | 4 / 0 | |
| 2.95.7 | 4 / 0 | |
| 2.95.6 | 4 / 0 | |
| 2.95.5 | 4 / 0 | |
| 2.95.4 | 4 / 0 | |
| 2.95.3 | 4 / 0 | |
| 2.95.1 | 4 / 0 | |
| 2.90.1 | 4 / 0 | |
| 2.87.0 | 4 / 0 | |
| 2.84.5 | 4 / 0 | |
| 2.84.0 | 4 / 0 | |
| 2.78.0 | 4 / 0 | |
| 2.64.1 | 4 / 0 | |
| 2.54.8 | 4 / 0 | |
| 2.54.7 | 4 / 0 | |
| 2.54.6 | 4 / 0 | |
| 2.54.5 | 4 / 0 | |
| 2.54.3 | 4 / 0 | |
| 2.54.2 | 4 / 0 | |
| 2.54.1 | 4 / 0 | |
| 2.54.0 | 4 / 0 | |
| 2.53.10 | 4 / 0 | |
| 2.53.9 | 4 / 0 | |
| 2.53.8 | 4 / 0 | |
| 2.53.7 | 4 / 0 | |
| 2.53.6 | 4 / 0 | |
| 2.53.5 | 4 / 0 | |
| 2.53.4 | 4 / 0 | |
| 2.53.3 | 4 / 0 | |
| 2.53.2 | 4 / 0 | |
| 2.53.1 | 4 / 0 | |
| 2.53.0 | 4 / 0 | |
| 2.52.4 | 4 / 0 | |
| 2.52.2 | 4 / 0 | |
| 2.52.1 | 4 / 0 | |
| 2.52.0 | 4 / 0 | |
| 2.51.5 | 4 / 0 | |
| 2.51.4 | 4 / 0 | |
| 2.51.2 | 4 / 0 |
v2.105.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.104.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.103.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.102.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v2.101.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.100.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.100.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.99.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.96.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.3
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.90.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.87.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.84.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.84.0
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.78.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.64.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.54.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.54.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.54.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.