@docusaurus/plugin-content-pages

Pages plugin for Docusaurus.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbslorberlex111docusaurus-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Docusaurus canary releases are published via GitHub Actions CI/CD by design. SLSA provenance attestation confirms the build originates from the official facebook/docusaurus repo. This pattern is stable for this package.	ai	2026/04/23
dependencies	unvetted-dep:webpack	AI (dependencies): webpack is a standard, widely-trusted build tool and a legitimate dependency for Docusaurus plugins; this finding is a stable false positive for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@docusaurus/core	AI (phantom-deps): @docusaurus/core is a same-org monorepo sibling dependency; the phantom-dep finding is a false positive for this intra-monorepo package structure.	ai	2026/04/22

Versions (showing 100 of 169)

Hide prereleases

Version	Deps	Published
3.10.1	8 / 0	2026-04-30
3.10.0	8 / 0	2026-04-07
3.9.2	8 / 0	2025-10-17
3.9.1	8 / 0	2025-09-26
3.9.0	8 / 0	2025-09-25
3.8.1	8 / 0	2025-06-06
3.8.0	8 / 0	2025-05-27
3.7.0	8 / 0	2025-01-03
3.6.3	8 / 0	2024-11-22
3.6.2	8 / 0	2024-11-19
3.6.1	8 / 0	2024-11-08
3.6.0	8 / 0	2024-11-04
3.5.2	8 / 0	2024-08-13
3.5.1	8 / 0	2024-08-09
3.5.0	8 / 0	2024-08-09
3.4.0	8 / 0	2024-05-31
3.3.2	8 / 0	2024-05-03
3.3.1	8 / 0	2024-05-03
3.3.0	8 / 0	2024-05-03
3.2.1	8 / 0	2024-04-04
3.2.0	8 / 0	2024-03-29
3.1.1	8 / 0	2024-01-26
3.1.0	8 / 0	2024-01-05
3.0.1	8 / 0	2023-11-30
3.0.0	8 / 0	2023-10-31
2.4.3	8 / 0	2023-09-20
2.4.1	8 / 0	2023-05-15
2.4.0	8 / 0	2023-03-23
2.3.1	8 / 0	2023-02-03
2.3.0	8 / 0	2023-01-27
2.2.0	8 / 0	2022-10-29
2.1.0	8 / 0	2022-09-02
2.0.1	8 / 1	2022-08-01
2.0.0	8 / 1	2022-08-01
3.9.2-canary-6578	8 / 0	2026-04-13
3.9.2-canary-6573	8 / 0	2026-04-10
3.9.2-canary-6572	8 / 0	2026-04-09
3.9.2-canary-6571	8 / 0	2026-04-09
3.9.2-canary-6570	8 / 0	2026-04-07
3.9.2-canary-6569	8 / 0	2026-04-07
3.9.2-canary-6568	8 / 0	2026-04-07
3.9.2-canary-6563	8 / 0	2026-04-03
3.9.2-canary-6562	8 / 0	2026-04-03
3.9.2-canary-6556	8 / 0	2026-04-02
3.9.2-canary-6554	8 / 0	2026-04-02
3.9.2-canary-6546	8 / 0	2026-03-26
3.9.2-canary-6545	8 / 0	2026-03-19
3.9.2-canary-6544	8 / 0	2026-03-19
3.9.2-canary-6543	8 / 0	2026-03-19
3.9.2-canary-6542	8 / 0	2026-03-19
3.9.2-canary-6541	8 / 0	2026-03-19
3.9.2-canary-6540	8 / 0	2026-03-20
3.9.2-canary-6528	8 / 0	2026-03-11
3.9.2-canary-6526	8 / 0	2026-03-10
3.9.2-canary-6508	8 / 0	2026-02-13
3.9.2-canary-6505	8 / 0	2026-02-05
3.9.2-canary-6499	8 / 0	2026-02-05
3.9.2-canary-6495	8 / 0	2026-02-05
3.9.2-canary-6466	8 / 0	2025-12-09
3.9.2-canary-6465	8 / 0	2025-12-09
3.9.2-canary-6464	8 / 0	2025-12-05
3.9.2-canary-6463	8 / 0	2025-12-05
3.9.2-canary-6461	8 / 0	2025-12-05
3.9.2-canary-6460	8 / 0	2025-12-05
3.9.2-canary-6458	8 / 0	2025-12-04
3.9.2-canary-6450	8 / 0	2025-11-21
3.9.2-canary-6449	8 / 0	2025-11-21
3.9.2-canary-6448	8 / 0	2025-11-21
3.9.2-canary-6447	8 / 0	2025-11-20
3.9.2-canary-6446	8 / 0	2025-11-20
3.9.2-canary-6445	8 / 0	2025-11-20
3.9.2-canary-6444	8 / 0	2025-11-20
3.9.2-canary-6443	8 / 0	2025-11-20
3.9.2-canary-6439	8 / 0	2025-11-14
3.9.2-canary-6437	8 / 0	2025-11-14
3.9.2-canary-6436	8 / 0	2025-11-06
3.9.2-canary-6431	8 / 0	2025-10-21
3.9.2-canary-6429	8 / 0	2025-10-17
3.9.2-canary-6426	8 / 0	2025-10-17
3.9.2-alpha.4	8 / 0	2026-03-20
3.9.2-alpha.3	8 / 0	2026-03-20
3.9.2-alpha.1-canary-6539	8 / 0	2026-03-20
3.9.2-alpha.1	8 / 0	2026-03-20
3.9.2-alpha.0-canary-6548	8 / 0	2026-03-19
3.9.2-alpha.0	8 / 0	2026-03-19
3.9.1-canary-6425	8 / 0	2025-10-17
3.9.1-canary-6424	8 / 0	2025-10-17
3.9.1-canary-6423	8 / 0	2025-10-16
3.9.1-canary-6418	8 / 0	2025-10-13
3.9.1-canary-6416	8 / 0	2025-10-10
3.9.1-canary-6415	8 / 0	2025-10-09
3.9.1-canary-6412	8 / 0	2025-10-09
3.9.1-canary-6411	8 / 0	2025-10-09
3.9.1-canary-6409	8 / 0	2025-09-26
3.9.1-canary-6408	8 / 0	2025-09-26
3.9.1-canary-6407	8 / 0	2025-09-26
3.9.0-canary-6406	8 / 0	2025-09-26
3.9.0-canary-6403	8 / 0	2025-09-25
3.8.1-canary-6402	8 / 0	2025-09-25
3.8.1-canary-6401	8 / 0	2025-09-23

Showing 100 of 169 Next page →

v3.10.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6578

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6573

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6572

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6571

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6570

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6569

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6568

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6563

2 findings

HIGH Publisher changed: slorber → GitHub Actions (on 2026-04-03) provenance

This version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6562

2 findings

HIGH Publisher changed: slorber → GitHub Actions (on 2026-04-03) provenance

This version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6556

2 findings

HIGH Publisher changed: slorber → GitHub Actions (on 2026-04-02) provenance

This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6554

2 findings

HIGH Publisher changed: slorber → GitHub Actions (on 2026-04-02) provenance

This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6546

2 findings

HIGH Publisher changed: slorber → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6545

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6544

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6543

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6542

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6541

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6540

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6528

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6526

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6508

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-canary-6505

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: docusaurus-bot → GitHub Actions (on 2026-02-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6499

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: docusaurus-bot → GitHub Actions (on 2026-02-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6495

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: docusaurus-bot → GitHub Actions (on 2026-02-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6466

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6465

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6464

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6463

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6461

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6460

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6458

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6450

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6449

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6448

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6447

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6446

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6445

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6444

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6443

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6439

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6437

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2-canary-6436

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: slorber → docusaurus-bot (on 2025-11-06) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-06. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6431

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: slorber → docusaurus-bot (on 2025-10-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6429

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: slorber → docusaurus-bot (on 2025-10-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-canary-6426

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: slorber → docusaurus-bot (on 2025-10-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.

v3.9.2-alpha.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-alpha.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-alpha.1-canary-6539

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-alpha.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-alpha.0-canary-6548

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.2-alpha.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.1-canary-6425

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6424

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6423

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6418

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6416

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6415

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6412

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6411

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6409

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6408

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.1-canary-6407

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.0-canary-6406

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.9.0-canary-6403

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.1-canary-6402

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.1-canary-6401

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.