supabase
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@vercel/detect-agent | AI (phantom-deps): Framework-scoped package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@napi-rs/keyring | AI (phantom-deps): Native keyring binding for credential storage in CLI. | ai | |
| phantom-deps | phantom-dep:@effect/atom-react | AI (phantom-deps): Effect ecosystem dep used transitively in the TUI layer. | ai | |
| phantom-deps | phantom-dep:@effect/platform-bun | AI (phantom-deps): Bun platform adapter for Effect; used at runtime. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance present; gitHead absence is a CI config change, not a security signal. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): Ink is a peer/transitive dep used by the TUI framework in this CLI monorepo. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): React is a peer dep of ink, required at runtime for the TUI. | ai | |
| phantom-deps | phantom-dep:effect | AI (phantom-deps): Effect is used transitively via @effect/* packages in this monorepo. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): Ink-spinner is a TUI component used in the CLI's ink-based UI. | ai | |
| phantom-deps | phantom-dep:posthog-node | AI (phantom-deps): Analytics dep referenced in config; stable for this CLI package. | ai | |
| phantom-deps | phantom-dep:@clack/prompts | AI (phantom-deps): CLI prompt library referenced in config; stable for this package. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher | AI (phantom-deps): File watcher for dev mode; referenced in config files. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Supabase CLI uses automated CI/CD releases; rapid successive publishes are expected and backed by SLSA provenance. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Supabase CLI is published via GitHub Actions with SLSA/Sigstore provenance attestation, ruling out account takeover. Dormancy pattern is a false positive for this verified CI/CD-published package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Supabase CLI's postinstall fetches platform-specific prebuilt binaries — a documented, stable install pattern consistent with its declared dependencies (node-fetch, tar, bin-links, https-proxy-agent). | ai |
Versions (showing 100 of 143)
| Version | Deps | Published |
|---|---|---|
| 2.105.0 | 0 / 34 | |
| 2.104.0 | 0 / 31 | |
| 2.103.0 | 0 / 31 | |
| 2.102.0 | 0 / 31 | |
| 2.101.0 | 0 / 28 | |
| 2.100.1 | 0 / 27 | |
| 2.100.0 | 0 / 27 | |
| 2.99.0 | 11 / 16 | |
| 2.98.2 | 4 / 0 | |
| 2.98.1 | 4 / 0 | |
| 2.98.0 | 4 / 0 | |
| 2.97.0 | 4 / 0 | |
| 2.96.0 | 4 / 0 | |
| 2.95.7 | 4 / 0 | |
| 2.95.6 | 4 / 0 | |
| 2.95.5 | 4 / 0 | |
| 2.95.4 | 4 / 0 | |
| 2.95.3 | 4 / 0 | |
| 2.95.1 | 4 / 0 | |
| 2.90.1 | 4 / 0 | |
| 2.87.0 | 4 / 0 | |
| 2.84.5 | 4 / 0 | |
| 2.84.0 | 4 / 0 | |
| 2.78.0 | 4 / 0 | |
| 2.64.1 | 4 / 0 | |
| 2.54.8 | 4 / 0 | |
| 2.54.7 | 4 / 0 | |
| 2.54.6 | 4 / 0 | |
| 2.54.5 | 4 / 0 | |
| 2.54.3 | 4 / 0 | |
| 2.54.2 | 4 / 0 | |
| 2.54.1 | 4 / 0 | |
| 2.54.0 | 4 / 0 | |
| 2.53.10 | 4 / 0 | |
| 2.53.9 | 4 / 0 | |
| 2.53.8 | 4 / 0 | |
| 2.53.7 | 4 / 0 | |
| 2.53.6 | 4 / 0 | |
| 2.53.5 | 4 / 0 | |
| 2.53.4 | 4 / 0 | |
| 2.53.3 | 4 / 0 | |
| 2.53.2 | 4 / 0 | |
| 2.53.1 | 4 / 0 | |
| 2.53.0 | 4 / 0 | |
| 2.52.4 | 4 / 0 | |
| 2.52.2 | 4 / 0 | |
| 2.52.1 | 4 / 0 | |
| 2.52.0 | 4 / 0 | |
| 2.51.5 | 4 / 0 | |
| 2.51.4 | 4 / 0 | |
| 2.51.2 | 4 / 0 | |
| 2.51.1 | 4 / 0 | |
| 2.51.0 | 4 / 0 | |
| 2.50.13 | 4 / 0 | |
| 2.50.12 | 4 / 0 | |
| 2.50.11 | 4 / 0 | |
| 2.50.10 | 4 / 0 | |
| 2.50.9 | 4 / 0 | |
| 2.50.8 | 4 / 0 | |
| 2.50.6 | 4 / 0 | |
| 2.50.5 | 4 / 0 | |
| 2.50.4 | 4 / 0 | |
| 2.50.2 | 4 / 0 | |
| 2.50.1 | 4 / 0 | |
| 2.49.0 | 4 / 0 | |
| 2.48.2 | 4 / 0 | |
| 2.48.0 | 4 / 0 | |
| 2.47.2 | 4 / 0 | |
| 2.47.0 | 4 / 0 | |
| 2.46.1 | 4 / 0 | |
| 2.46.0 | 4 / 0 | |
| 2.45.4 | 4 / 0 | |
| 2.45.3 | 4 / 0 | |
| 2.45.1 | 4 / 0 | |
| 2.45.0 | 4 / 0 | |
| 2.43.1 | 4 / 0 | |
| 2.43.0 | 4 / 0 | |
| 2.42.0 | 4 / 0 | |
| 2.41.4 | 4 / 0 | |
| 2.41.3 | 4 / 0 | |
| 2.41.2 | 4 / 0 | |
| 2.41.0 | 4 / 0 | |
| 2.40.7 | 4 / 0 | |
| 2.40.6 | 4 / 0 | |
| 2.40.5 | 4 / 0 | |
| 2.40.4 | 4 / 0 | |
| 2.40.2 | 4 / 0 | |
| 2.40.1 | 4 / 0 | |
| 2.40.0 | 4 / 0 | |
| 2.39.1 | 4 / 0 | |
| 2.38.2 | 4 / 0 | |
| 2.38.1 | 4 / 0 | |
| 2.38.0 | 4 / 0 | |
| 2.37.1 | 4 / 0 | |
| 2.36.2 | 4 / 0 | |
| 2.36.1 | 4 / 0 | |
| 2.36.0 | 4 / 0 | |
| 2.35.1 | 4 / 0 | |
| 2.35.0 | 4 / 0 | |
| 2.34.2 | 4 / 0 |
v2.105.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.104.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.103.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.102.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v2.101.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.100.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.100.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.99.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.96.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.3
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.95.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.90.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.87.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.84.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.84.0
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.78.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.64.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.54.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.54.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.54.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.54.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.53.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.52.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.51.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.50.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.49.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.48.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.48.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.47.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.47.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.46.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.46.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.45.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.45.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.45.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.45.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.43.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.43.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.41.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.41.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.41.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.41.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.39.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.38.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.37.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.36.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.36.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.