@514labs/moose-lib — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

calliclestimgdelislejonathan514luciofrancogeorgevanderson514bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-peer-dep:ts-patch	AI (dependencies): Peer dependency in optional peer deps; already marked as accepted risk.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): 514labs transitioned from 514bot to GitHub Actions for publishing, confirmed by SLSA provenance attestation. This is a legitimate CI/CD migration, not a compromise.	ai	2026/04/27
maintainer-change	maintainer-added	AI (maintainer-change): luciofranco appears to be a legitimate team member addition within the 514labs org, consistent with the GitHub Actions publishing transition and SLSA attestation.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): @514labs/kafka-javascript is a same-org scoped package, not a third-party injection. Consistent with internal tooling expansion.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Provenance attestation is missing but common across npm ecosystem; not a disqualifier for established packages with clean publisher track records.	ai	2026/04/27
dependencies	unvetted-dep:@confluentinc/kafka-javascript	AI (dependencies): @confluentinc/kafka-javascript is the official Confluent Kafka JS client; legitimate dependency for a data engineering framework like moose-lib.	ai	2026/04/27
phantom-deps	phantom-dep:tsconfig-paths	AI (phantom-deps): tsconfig-paths is used at runtime via ts-node for TypeScript path resolution; not directly imported in source but legitimately needed.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): Package is 695 days old with 4213 versions and a legitimate data engineering framework purpose; missing metadata is a hygiene issue, not a spam/malware indicator.	ai	2026/04/27
dependencies	unvetted-dep:@514labs/kafka-javascript	AI (dependencies): Publisher's own patched fork of kafka-javascript; consistent with the package's data infrastructure focus.	ai	2026/04/26
dependencies	unvetted-dep:@kafkajs/confluent-schema-registry	AI (dependencies): Well-known Confluent Schema Registry client maintained by the KafkaJS org. Legitimate dependency for Kafka-based data pipelines.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/client	AI (dependencies): Temporal.io SDK is a well-known, legitimate workflow orchestration library from Temporal Technologies. Stable dependency for this data infrastructure package.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/common	AI (dependencies): Temporal.io SDK common package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/worker	AI (dependencies): Temporal.io SDK worker package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/activity	AI (dependencies): Temporal.io SDK activity package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@temporalio/workflow	AI (dependencies): Temporal.io SDK workflow package from Temporal Technologies. Legitimate and stable dependency.	ai	2026/04/26
dependencies	unvetted-dep:@clickhouse/client-web	AI (dependencies): Official ClickHouse browser-compatible client from ClickHouse Inc. Legitimate dependency for a data infrastructure library.	ai	2026/04/26
npm-metadata	no-description	AI (npm-metadata): Automated CI/CD publishing pipeline for an established package; missing description is a cosmetic issue, not a security signal.	ai	2026/04/25
phantom-deps	phantom-dep:@clickhouse/client-web	AI (phantom-deps): ClickHouse web client declared for browser-compatible export path; phantom-dep flag is expected given the conditional export structure.	ai	2026/04/25
phantom-deps	phantom-dep:@temporalio/common	AI (phantom-deps): Temporal common types package declared for type-level usage; phantom-dep flag is expected for type/config dependencies.	ai	2026/04/25
phantom-deps	phantom-dep:fastq	AI (phantom-deps): fastq is a legitimate declared dependency used transitively; phantom-dep flag is a structural note, not a security concern for this package.	ai	2026/04/25

Versions (showing 100 of 576)

Version	Deps	Published
0.6.232	17 / 10	2025-11-25
0.6.231	17 / 10	2025-11-25
0.6.230	17 / 10	2025-11-25
0.6.229	17 / 10	2025-11-25
0.6.228	17 / 10	2025-11-24
0.6.227	17 / 10	2025-11-23
0.6.226	17 / 10	2025-11-21
0.6.225	17 / 10	2025-11-20
0.6.224	17 / 10	2025-11-19
0.6.223	17 / 10	2025-11-19
0.6.222	17 / 10	2025-11-19
0.6.221	17 / 10	2025-11-19
0.6.220	17 / 10	2025-11-19
0.6.219	17 / 10	2025-11-18
0.6.218	17 / 10	2025-11-18
0.6.217	17 / 10	2025-11-18
0.6.216	17 / 10	2025-11-18
0.6.215	17 / 10	2025-11-18
0.6.214	17 / 10	2025-11-18
0.6.213	17 / 10	2025-11-17
0.6.212	17 / 10	2025-11-17
0.6.211	17 / 10	2025-11-17
0.6.210	17 / 10	2025-11-17
0.6.209	17 / 10	2025-11-15
0.6.208	17 / 10	2025-11-15
0.6.207	17 / 10	2025-11-14
0.6.206	17 / 10	2025-11-14
0.6.205	17 / 10	2025-11-14
0.6.204	17 / 10	2025-11-14
0.6.203	17 / 10	2025-11-14
0.6.202	17 / 10	2025-11-13
0.6.201	17 / 10	2025-11-13
0.6.200	17 / 10	2025-11-13
0.6.199	17 / 10	2025-11-13
0.6.198	17 / 10	2025-11-13
0.6.197	17 / 10	2025-11-13
0.6.196	17 / 10	2025-11-13
0.6.195	17 / 10	2025-11-12
0.6.194	17 / 10	2025-11-12
0.6.193	17 / 10	2025-11-12
0.6.192	17 / 10	2025-11-11
0.6.191	17 / 10	2025-11-11
0.6.190	17 / 10	2025-11-11
0.6.189	17 / 10	2025-11-11
0.6.188	17 / 10	2025-11-10
0.6.187	17 / 10	2025-11-10
0.6.186	17 / 10	2025-11-08
0.6.185	17 / 10	2025-11-07
0.6.184	17 / 10	2025-11-07
0.6.183	17 / 10	2025-11-07
0.6.182	17 / 10	2025-11-06
0.6.181	17 / 10	2025-11-06
0.6.180	17 / 10	2025-11-05
0.6.179	17 / 10	2025-11-05
0.6.178	17 / 10	2025-11-05
0.6.177	17 / 10	2025-11-04
0.6.176	17 / 10	2025-11-04
0.6.175	17 / 10	2025-11-04
0.6.174	17 / 10	2025-11-04
0.6.173	17 / 10	2025-11-04
0.6.172	17 / 10	2025-11-04
0.6.171	17 / 10	2025-11-04
0.6.170	17 / 10	2025-11-04
0.6.169	17 / 10	2025-11-03
0.6.168	17 / 10	2025-11-02
0.6.167	17 / 10	2025-11-01
0.6.166	17 / 10	2025-10-30
0.6.165	17 / 10	2025-10-29
0.6.164	17 / 10	2025-10-29
0.6.163	17 / 10	2025-10-29
0.6.162	17 / 10	2025-10-28
0.6.161	17 / 10	2025-10-28
0.6.160	17 / 10	2025-10-28
0.6.159	17 / 10	2025-10-28
0.6.158	18 / 10	2025-10-28
0.6.157	18 / 10	2025-10-24
0.6.156	18 / 10	2025-10-24
0.6.155	18 / 10	2025-10-24
0.6.154	18 / 10	2025-10-23
0.6.153	18 / 10	2025-10-23
0.6.152	18 / 10	2025-10-23
0.6.151	18 / 10	2025-10-23
0.6.150	18 / 10	2025-10-23
0.6.149	18 / 10	2025-10-22
0.6.148	18 / 10	2025-10-22
0.6.147	18 / 10	2025-10-21
0.6.146	18 / 10	2025-10-21
0.6.145	18 / 10	2025-10-21
0.6.144	18 / 10	2025-10-21
0.6.143	18 / 10	2025-10-20
0.6.142	18 / 10	2025-10-20
0.6.141	18 / 10	2025-10-18
0.6.140	18 / 10	2025-10-18
0.6.139	18 / 10	2025-10-17
0.6.138	18 / 10	2025-10-17
0.6.137	18 / 10	2025-10-17
0.6.136	18 / 10	2025-10-16
0.6.135	18 / 10	2025-10-16
0.6.134	18 / 10	2025-10-16
0.6.133	18 / 10	2025-10-16

Showing 100 of 576 Next page →