@changesets/cli
Organise your package versioning and publishing to make both contributors and maintainers happy
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): changesets-release-bot is the established automated publisher for @changesets scope. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate transition to changesets-release-bot in 2019; stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): All dynamic-require findings are in test files, used to read back written JSON fixtures for assertion. Not production code; no arbitrary module loading risk. | ai | |
| phantom-deps | phantom-dep:@changesets/git | AI (phantom-deps): Same-org scoped package loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:get-workspaces | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:meow | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:boxen | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:is-ci | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:outdent | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:p-limit | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:pkg-dir | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:enquirer | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:prettier | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:term-size | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:tty-table | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:spawndamnit | AI (phantom-deps): CLI tool dependency loaded indirectly; stable false-positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): Framework-scoped type package loaded by convention; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@changesets/pre | AI (phantom-deps): Same-org scoped package in monorepo; phantom dependency pattern is expected and stable. | ai | |
| phantom-deps | phantom-dep:lodash.startcase | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:cli-table | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:detect-indent | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:fuzzy | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| phantom-deps | phantom-dep:globby | AI (phantom-deps): Declared dependency used dynamically in CLI tool; phantom-dep pattern is expected for config-driven tools. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @changesets/cli is a well-known scoped package with no relation to 'joi'; the Levenshtein match is a false positive driven by the short length of 'joi' vs. the full scoped name. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation; absence is not a security blocker for established packages with strong publisher track records. | ai | |
| phantom-deps | phantom-dep:@types/is-ci | AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:@types/semver | AI (phantom-deps): TypeScript type package; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:human-id | AI (phantom-deps): Referenced in config files for changeset ID generation; legitimate use pattern for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ansi-colors is a well-known, benign terminal color utility; its addition is consistent with CLI tooling and poses no supply chain risk. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep loaded by Babel transpilation; not directly imported but legitimately used. | ai | |
| bogus-package | bogus-package | AI (bogus-package): @changesets/cli is a well-known monorepo sub-package; sparse README and missing keywords are expected for scoped packages that defer to the main repo docs. Not a spam/bogus package. | ai | |
| dependencies | unvetted-dep:term-size | AI (dependencies): term-size is a legitimate Sindre Sorhus package for terminal size detection; its use in a CLI tool is expected and appropriate. | ai |
Versions (showing 100 of 105)
| Version | Deps | Published |
|---|---|---|
| 2.31.0 | 26 / 6 | |
| 2.30.0 | 26 / 6 | |
| 2.29.8 | 28 / 6 | |
| 2.29.7 | 28 / 6 | |
| 2.29.6 | 28 / 6 | |
| 2.29.5 | 28 / 6 | |
| 2.29.4 | 28 / 6 | |
| 2.29.3 | 28 / 6 | |
| 2.29.2 | 28 / 6 | |
| 2.29.1 | 28 / 6 | |
| 2.29.0 | 28 / 6 | |
| 2.28.1 | 28 / 6 | |
| 2.28.0 | 28 / 6 | |
| 2.27.12 | 28 / 6 | |
| 2.27.11 | 28 / 6 | |
| 2.27.10 | 28 / 6 | |
| 2.27.9 | 28 / 6 | |
| 2.27.8 | 30 / 4 | |
| 2.27.7 | 32 / 3 | |
| 2.27.6 | 32 / 3 | |
| 2.27.5 | 33 / 3 | |
| 2.27.4 | 33 / 3 | |
| 2.27.3 | 32 / 3 | |
| 2.27.2 | 32 / 3 | |
| 2.27.1 | 32 / 3 | |
| 2.27.0 | 32 / 3 | |
| 2.26.2 | 33 / 3 | |
| 2.26.1 | 33 / 3 | |
| 2.26.0 | 33 / 3 | |
| 2.25.2 | 33 / 4 | |
| 2.25.1 | 33 / 4 | |
| 2.25.0 | 33 / 4 | |
| 2.24.4 | 33 / 4 | |
| 2.24.3 | 33 / 4 | |
| 2.24.2 | 33 / 4 | |
| 2.24.1 | 33 / 4 | |
| 2.24.0 | 33 / 4 | |
| 2.23.2 | 33 / 4 | |
| 2.23.1 | 33 / 4 | |
| 2.23.0 | 33 / 4 | |
| 2.22.0 | 32 / 4 | |
| 2.21.1 | 31 / 4 | |
| 2.21.0 | 31 / 4 | |
| 2.20.0 | 30 / 4 | |
| 2.19.0 | 31 / 4 | |
| 2.18.1 | 30 / 4 | |
| 2.18.0 | 30 / 4 | |
| 2.17.0 | 30 / 4 | |
| 2.16.0 | 30 / 4 | |
| 2.15.0 | 30 / 4 | |
| 2.14.1 | 30 / 4 | |
| 2.14.0 | 30 / 4 | |
| 2.13.1 | 30 / 4 | |
| 2.13.0 | 30 / 4 | |
| 2.12.0 | 30 / 4 | |
| 2.11.2 | 30 / 4 | |
| 2.11.1 | 30 / 4 | |
| 2.11.0 | 30 / 4 | |
| 2.10.3 | 30 / 4 | |
| 2.10.2 | 30 / 4 | |
| 2.10.1 | 30 / 4 | |
| 2.10.0 | 30 / 4 | |
| 2.9.2 | 29 / 4 | |
| 2.9.1 | 29 / 4 | |
| 2.9.0 | 29 / 4 | |
| 2.8.0 | 28 / 4 | |
| 2.7.2 | 28 / 4 | |
| 2.7.1 | 28 / 4 | |
| 2.7.0 | 28 / 4 | |
| 2.6.5 | 28 / 5 | |
| 2.6.4 | 27 / 5 | |
| 2.6.3 | 27 / 5 | |
| 2.6.2 | 27 / 5 | |
| 2.6.1 | 27 / 5 | |
| 2.6.0 | 28 / 5 | |
| 2.5.2 | 28 / 5 | |
| 2.5.1 | 28 / 5 | |
| 2.5.0 | 28 / 5 | |
| 2.4.1 | 28 / 5 | |
| 2.4.0 | 28 / 5 | |
| 2.3.3 | 29 / 5 | |
| 2.3.2 | 34 / 5 | |
| 2.3.1 | 34 / 5 | |
| 2.3.0 | 34 / 5 | |
| 2.2.0 | 33 / 4 | |
| 2.1.2 | 31 / 3 | |
| 2.1.1 | 31 / 3 | |
| 2.1.0 | 31 / 3 | |
| 2.0.4 | 31 / 3 | |
| 2.0.3 | 33 / 3 | |
| 2.0.2 | 33 / 3 | |
| 2.0.1 | 33 / 3 | |
| 2.0.0 | 33 / 3 | |
| 1.3.3 | 26 / 2 | |
| 1.3.1 | 26 / 2 | |
| 1.3.0 | 26 / 2 | |
| 1.2.0 | 24 / 2 | |
| 1.1.5 | 25 / 1 | |
| 1.1.4 | 23 / 1 | |
| 1.1.3 | 21 / 1 |
v2.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.29.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (changesets-release-bot) than the most recent previously approved version (noviny) on 2020-03-09, but changesets-release-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (changesets-release-bot) than the most recent previously approved version (noviny) on 2020-02-24, but changesets-release-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (changesets-release-bot) than the most recent previously approved version (mitchellhamilton) on 2020-02-01, but changesets-release-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (noviny) than the most recent previously approved version (changesets-release-bot) on 2020-01-24, but noviny is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (mitchellhamilton) than the most recent previously approved version (changesets-release-bot) on 2019-12-09, but mitchellhamilton is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.3
2 findingsThis version was published by a different npm account than previous versions on 2019-11-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.