verstak
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:markdown-it | AI (dependencies): markdown-it is a well-established, widely-used library; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with consistent publish history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@types/linkify-it | AI (phantom-deps): Type-only peer dep for markdown-it; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:markdown-it-prism | AI (phantom-deps): Plugin loaded via config convention, not direct import; stable pattern for this package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 0.96.26029 | 6 / 12 | |
| 0.96.26027 | 6 / 12 | |
| 0.96.26026 | 6 / 12 | |
| 0.96.26025 | 6 / 12 | |
| 0.96.26021 | 6 / 12 | |
| 0.96.26020 | 6 / 12 | |
| 0.96.26019 | 6 / 12 | |
| 0.96.26018 | 6 / 12 | |
| 0.96.26013 | 6 / 12 | |
| 0.96.26003 | 6 / 12 | |
| 0.95.25048 | 6 / 12 | |
| 0.95.25045 | 6 / 12 | |
| 0.94.25030 | 6 / 11 | |
| 0.94.25029 | 6 / 11 |
v0.96.26029
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.96.26027
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26026
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26025
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26021
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26020
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26019
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26018
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26013
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.96.26003
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.95.25048
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.95.25045
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.94.25030
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.94.25029
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.