@bunchtogether/boost-client
## API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@callstack/async-storage | AI (phantom-deps): @callstack/async-storage is explicitly declared in dependencies and referenced in build config; phantom-dep false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package has 111 versions and a long history; new source files reflect legitimate package growth/refactoring, not injected code. Publisher has clean track record. | ai | |
| dependencies | unvetted-dep:superagent | AI (dependencies): superagent is a well-established HTTP client library; its use is consistent with this package's client-side data-fetching purpose. | ai | |
| dependencies | unvetted-dep:query-string | AI (dependencies): query-string is a popular, well-maintained URL query string utility; no risk concerns. | ai | |
| dependencies | unvetted-dep:superagent-use | AI (dependencies): superagent-use is a standard superagent plugin mechanism; expected alongside superagent dependency. | ai | |
| dependencies | unvetted-dep:superagent-prefix | AI (dependencies): superagent-prefix is a standard superagent plugin for URL prefixing; expected alongside superagent dependency. | ai | |
| dependencies | unvetted-dep:@callstack/async-storage | AI (dependencies): @callstack/async-storage is a well-known React Native async storage library from a reputable org; no risk concerns. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance adoption; lack of attestation is expected for packages of this age and is not a risk signal. | ai | |
| dependencies | unvetted-dep:redux-saga | AI (dependencies): redux-saga is a well-known, widely-used Redux middleware library; its presence is expected and benign for this package. | ai |
Versions (showing 11 of 111)
| Version | Deps | Published |
|---|---|---|
| 1.0.10 | 10 / 22 | |
| 1.0.9 | 10 / 22 | |
| 1.0.8 | 10 / 22 | |
| 1.0.7 | 10 / 22 | |
| 1.0.6 | 10 / 22 | |
| 1.0.5 | 10 / 22 | |
| 1.0.4 | 10 / 22 | |
| 1.0.3 | 10 / 22 | |
| 1.0.2 | 10 / 22 | |
| 1.0.1 | 10 / 22 | |
| 1.0.0 | 10 / 22 |
v1.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.