← Home

@balena/open-balena-api

npm Repository Homepage

Internet of things, Made Simple

51
Versions
AGPL-3.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

balena.iopage

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:redlock AI (dependencies): redlock is a legitimate Redis distributed lock library used by this API service. ai
phantom-deps phantom-dep:@types/express-serve-static-core AI (phantom-deps): Type-only transitive dependency of @types/express; not directly imported by convention. ai
dependencies unvetted-dep:request AI (dependencies): request is a well-known HTTP client; deprecated but not malicious, stable usage in this package. ai
phantom-deps phantom-dep:@types/node-schedule AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/ndjson AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/semver AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/memoizee AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/statuses AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/validator AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/basic-auth AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/proxy-addr AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/common-tags AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/compression AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/escape-html AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/json-schema AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/on-finished AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/compressible AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/jsonwebtoken AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/passport-jwt AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/randomstring AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/cache-manager AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/cookie-session AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/cache-manager-ioredis AI (phantom-deps): TypeScript @types declaration package; loaded by convention, not a security risk. ai
phantom-deps phantom-dep:@types/redlock AI (phantom-deps): TypeScript type package; stable false positive. ai
phantom-deps phantom-dep:@types/request AI (phantom-deps): TypeScript type package; stable false positive. ai
phantom-deps phantom-dep:@types/lodash AI (phantom-deps): TypeScript type package; stable false positive. ai
phantom-deps phantom-dep:@types/morgan AI (phantom-deps): TypeScript type package; stable false positive. ai
phantom-deps phantom-dep:@types/express AI (phantom-deps): TypeScript type package; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/core AI (phantom-deps): OTel config-referenced package; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/sdk-node AI (phantom-deps): OTel config-referenced package; stable false positive. ai
phantom-deps phantom-dep:@sentry/opentelemetry AI (phantom-deps): OTel config-referenced package; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/context-async-hooks AI (phantom-deps): OTel config-referenced package; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/instrumentation-http AI (phantom-deps): OTel config-referenced package; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/instrumentation-express AI (phantom-deps): OTel config-referenced package; stable false positive. ai
publish-pattern rapid-publish AI (publish-pattern): Automated CI/CD pipeline with SLSA provenance; rapid successive publishes are expected. ai
phantom-deps phantom-dep:supervisor AI (phantom-deps): Process manager referenced in config; stable false positive. ai
phantom-deps phantom-dep:@swc/core AI (phantom-deps): Build tooling referenced in config files; stable pattern for this package. ai
phantom-deps phantom-dep:@types/ws AI (phantom-deps): TypeScript type package loaded by convention; stable false positive. ai
phantom-deps phantom-dep:bufferutil AI (phantom-deps): Optional ws peer dep referenced in config; stable false positive. ai
phantom-deps phantom-dep:typescript AI (phantom-deps): Build tooling referenced in config; stable false positive. ai
phantom-deps phantom-dep:@types/node AI (phantom-deps): Framework-scoped type package; stable false positive. ai
phantom-deps phantom-dep:@swc-node/register AI (phantom-deps): Test runner import in mocha config; stable false positive. ai
phantom-deps phantom-dep:@balena/es-version AI (phantom-deps): Same-org package used by convention; stable false positive. ai

Versions (showing 51 of 51)

Version Deps Published
47.1.9 102 / 16
47.1.8 102 / 16
47.1.7 102 / 16
47.1.6 102 / 16
47.1.5 102 / 16
47.1.4 102 / 16
47.1.3 102 / 16
47.1.2 102 / 16
47.1.1 102 / 16
47.1.0 102 / 16
47.0.9 102 / 16
47.0.8 102 / 16
47.0.7 102 / 16
47.0.4 102 / 16
47.0.1 102 / 18
46.2.3 102 / 18
46.2.0 102 / 18
46.1.0 102 / 18
46.0.24 102 / 18
46.0.20 102 / 18
46.0.19 102 / 18
46.0.16 102 / 18
46.0.13 102 / 18
46.0.11 102 / 18
46.0.9 102 / 18
46.0.6 102 / 18
46.0.4 102 / 18
46.0.2 102 / 18
45.1.21 102 / 18
45.1.16 102 / 18
45.1.14 102 / 18
45.1.13 102 / 18
45.1.9 102 / 18
45.1.8 101 / 18
45.1.7 101 / 18
45.1.5 101 / 18
45.1.4 101 / 18
45.1.3 101 / 18
45.1.2 101 / 18
44.3.0 100 / 18
43.8.0 100 / 18
43.5.14 96 / 18
43.5.9 96 / 18
43.5.8 96 / 18
43.5.7 96 / 18
43.5.6 96 / 18
43.5.5 96 / 18
43.5.2 96 / 18
43.3.7 96 / 18
43.3.2 96 / 18
43.1.5 95 / 18

v47.1.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.0.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.0.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v47.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.2.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.24

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.19

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v46.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.21

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v45.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v43.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v43.5.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.3.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v43.1.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.