@514labs/moose-lib — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

calliclestimgdelislejonathan514luciofrancogeorgevanderson514bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-peer-dep:ts-patch	AI (dependencies): Peer dependency in optional peer deps; already marked as accepted risk.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): 514labs transitioned from 514bot to GitHub Actions for publishing, confirmed by SLSA provenance attestation. This is a legitimate CI/CD migration, not a compromise.	ai	2026/04/27
maintainer-change	maintainer-added	AI (maintainer-change): luciofranco appears to be a legitimate team member addition within the 514labs org, consistent with the GitHub Actions publishing transition and SLSA attestation.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): @514labs/kafka-javascript is a same-org scoped package, not a third-party injection. Consistent with internal tooling expansion.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Provenance attestation is missing but common across npm ecosystem; not a disqualifier for established packages with clean publisher track records.	ai	2026/04/27
dependencies	unvetted-dep:@confluentinc/kafka-javascript	AI (dependencies): @confluentinc/kafka-javascript is the official Confluent Kafka JS client; legitimate dependency for a data engineering framework like moose-lib.	ai	2026/04/27
phantom-deps	phantom-dep:tsconfig-paths	AI (phantom-deps): tsconfig-paths is used at runtime via ts-node for TypeScript path resolution; not directly imported in source but legitimately needed.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): Package is 695 days old with 4213 versions and a legitimate data engineering framework purpose; missing metadata is a hygiene issue, not a spam/malware indicator.	ai	2026/04/27
dependencies	unvetted-dep:@514labs/kafka-javascript	AI (dependencies): Publisher's own patched fork of kafka-javascript; consistent with the package's data infrastructure focus.	ai	2026/04/26
dependencies	unvetted-dep:@kafkajs/confluent-schema-registry	AI (dependencies): Well-known Confluent Schema Registry client maintained by the KafkaJS org. Legitimate dependency for Kafka-based data pipelines.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/client	AI (dependencies): Temporal.io SDK is a well-known, legitimate workflow orchestration library from Temporal Technologies. Stable dependency for this data infrastructure package.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/common	AI (dependencies): Temporal.io SDK common package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/worker	AI (dependencies): Temporal.io SDK worker package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/activity	AI (dependencies): Temporal.io SDK activity package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/workflow	AI (dependencies): Temporal.io SDK workflow package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@clickhouse/client-web	AI (dependencies): Official ClickHouse browser-compatible client from ClickHouse Inc. Legitimate dependency for a data infrastructure library.	ai	2026/04/26
npm-metadata	no-description	AI (npm-metadata): Automated CI/CD publishing pipeline for an established package; missing description is a cosmetic issue, not a security signal.	ai	2026/04/25
phantom-deps	phantom-dep:@clickhouse/client-web	AI (phantom-deps): ClickHouse web client declared for browser-compatible export path; phantom-dep flag is expected given the conditional export structure.	ai	2026/04/25
phantom-deps	phantom-dep:@temporalio/common	AI (phantom-deps): Temporal common types package declared for type-level usage; phantom-dep flag is expected for type/config dependencies.	ai	2026/04/25
phantom-deps	phantom-dep:fastq	AI (phantom-deps): fastq is a legitimate declared dependency used transitively; phantom-dep flag is a structural note, not a security concern for this package.	ai	2026/04/25

Versions (showing 100 of 576)

Version	Deps	Published
0.6.132	18 / 10	2025-10-15
0.6.131	18 / 10	2025-10-15
0.6.130	18 / 10	2025-10-15
0.6.129	18 / 10	2025-10-15
0.6.128	18 / 10	2025-10-13
0.6.127	18 / 10	2025-10-13
0.6.126	18 / 10	2025-10-13
0.6.125	18 / 10	2025-10-10
0.6.124	18 / 10	2025-10-10
0.6.123	18 / 10	2025-10-10
0.6.122	18 / 10	2025-10-10
0.6.121	18 / 10	2025-10-10
0.6.120	18 / 10	2025-10-09
0.6.119	18 / 10	2025-10-09
0.6.118	18 / 10	2025-10-09
0.6.117	18 / 10	2025-10-09
0.6.116	18 / 10	2025-10-08
0.6.115	18 / 10	2025-10-08
0.6.114	18 / 10	2025-10-08
0.6.113	18 / 10	2025-10-08
0.6.112	18 / 10	2025-10-08
0.6.111	18 / 10	2025-10-07
0.6.110	17 / 10	2025-10-07
0.6.109	17 / 10	2025-10-07
0.6.108	18 / 10	2025-10-07
0.6.107	18 / 10	2025-10-07
0.6.106	18 / 10	2025-10-06
0.6.105	18 / 10	2025-10-06
0.6.104	18 / 10	2025-10-06
0.6.103	18 / 10	2025-10-02
0.6.102	18 / 10	2025-10-02
0.6.101	18 / 10	2025-10-01
0.6.100	18 / 10	2025-10-01
0.6.99	18 / 10	2025-10-01
0.6.98	18 / 10	2025-09-30
0.6.97	18 / 10	2025-09-30
0.6.96	18 / 10	2025-09-30
0.6.95	18 / 10	2025-09-29
0.6.94	18 / 10	2025-09-27
0.6.93	18 / 10	2025-09-27
0.6.92	18 / 10	2025-09-26
0.6.91	18 / 10	2025-09-26
0.6.90	18 / 10	2025-09-26
0.6.89	18 / 10	2025-09-26
0.6.88	18 / 10	2025-09-26
0.6.87	18 / 10	2025-09-25
0.6.86	18 / 10	2025-09-25
0.6.85	18 / 10	2025-09-25
0.6.84	18 / 10	2025-09-24
0.6.83	18 / 10	2025-09-24
0.6.82	18 / 10	2025-09-24
0.6.81	18 / 10	2025-09-24
0.6.80	18 / 10	2025-09-24
0.6.79	18 / 10	2025-09-23
0.6.78	18 / 10	2025-09-23
0.6.77	17 / 10	2025-09-23
0.6.76	17 / 10	2025-09-22
0.6.75	17 / 10	2025-09-22
0.6.74	17 / 10	2025-09-20
0.6.73	17 / 10	2025-09-19
0.6.72	17 / 10	2025-09-19
0.6.71	17 / 10	2025-09-19
0.6.70	17 / 10	2025-09-18
0.6.69	17 / 10	2025-09-18
0.6.68	17 / 10	2025-09-18
0.6.67	17 / 10	2025-09-18
0.6.65	17 / 10	2025-09-18
0.6.64	17 / 10	2025-09-17
0.6.63	17 / 10	2025-09-17
0.6.62	17 / 10	2025-09-16
0.6.61	17 / 10	2025-09-16
0.6.60	17 / 10	2025-09-16
0.6.59	17 / 10	2025-09-16
0.6.58	17 / 10	2025-09-13
0.6.57	17 / 10	2025-09-13
0.6.56	17 / 10	2025-09-12
0.6.55	17 / 10	2025-09-12
0.6.54	17 / 10	2025-09-11
0.6.53	17 / 10	2025-09-11
0.6.52	17 / 10	2025-09-11
0.6.51	16 / 10	2025-09-11
0.6.50	16 / 10	2025-09-11
0.6.49	16 / 10	2025-09-11
0.6.48	16 / 10	2025-09-11
0.6.47	16 / 10	2025-09-11
0.6.46	16 / 10	2025-09-10
0.6.45	16 / 10	2025-09-10
0.6.44	16 / 10	2025-09-10
0.6.43	16 / 10	2025-09-10
0.6.42	16 / 10	2025-09-10
0.6.41	16 / 10	2025-09-10
0.6.40	16 / 10	2025-09-09
0.6.39	16 / 10	2025-09-09
0.6.38	16 / 10	2025-09-09
0.6.37	16 / 10	2025-09-08
0.6.36	16 / 10	2025-09-08
0.6.35	16 / 10	2025-09-07
0.6.34	16 / 10	2025-09-07
0.6.33	16 / 10	2025-09-05
0.6.32	16 / 10	2025-09-05

Showing 100 of 576 Next page →