← Home

@cubejs-backend/query-orchestrator

npm Repository Homepage

Cube.js Query Orchestrator and Cache

13
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

cubedevincstatsbotkeydunovmaxim_cube

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern dormant-publish AI (publish-pattern): Cube.js monorepo with SLSA provenance; dormancy pattern consistent with coordinated versioned releases, not takeover. ai
dependencies unvetted-dep:csv-write-stream AI (dependencies): csv-write-stream is a legitimate utility; stable dependency in this well-established Cube.js package. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package; README and metadata patterns are typical for internal packages, not spam. ai
dependencies unvetted-dep:@cubejs-backend/base-driver AI (dependencies): Sibling monorepo package published at same version; not an independent unvetted dependency. ai
dependencies unvetted-dep:@cubejs-backend/cubestore-driver AI (dependencies): Sibling monorepo package published at same version; not an independent unvetted dependency. ai

Versions (showing 13 of 115)

Version Deps Published
1.3.23 7 / 8
1.3.22 7 / 8
1.3.21 7 / 8
1.3.20 7 / 8
1.3.19 7 / 8
1.3.18 7 / 8
1.3.17 7 / 8
1.3.16 7 / 8
1.3.15 7 / 8
1.3.14 7 / 8
1.3.13 7 / 8
1.3.12 7 / 8
1.3.11 7 / 8

v1.3.23

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.22

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.21

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.18

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.17

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.3.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.13

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.12

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.