@dword-design/base
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by CI-attested publish with no material changes; consistent with a tooling/workflow migration rather than account takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Package now publishes via GitHub Actions CI with SLSA attestation; this is a documented CI migration pattern for this org. | ai | |
| dependencies | unvetted-dep:parse-git-config | AI (dependencies): Aliased to @dword-design/parse-git-config — same org as this package; author consistently uses their own forks. No malicious signals. | ai | |
| dependencies | unvetted-dep:spdx-expression-parse | AI (dependencies): spdx-expression-parse is a well-known, widely-used SPDX parsing library with no known security issues. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@commitlint/cli | AI (phantom-deps): commitlint CLI is referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:semantic-release | AI (phantom-deps): semantic-release is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@semantic-release/git | AI (phantom-deps): semantic-release plugin referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@semantic-release/changelog | AI (phantom-deps): semantic-release plugin referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:cz-conventional-changelog | AI (phantom-deps): commitizen adapter referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@commitlint/config-conventional | AI (phantom-deps): commitlint config referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI/CD with SLSA provenance attestation; stable positive signal for this package. | ai | |
| phantom-deps | phantom-dep:@dword-design/eslint-config | AI (phantom-deps): Author's own eslint config, same org scope, referenced in config files. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@dword-design/base-config-node | AI (phantom-deps): Author's own base config package, same org scope, referenced in config. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:c8 | AI (phantom-deps): c8 is a coverage CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): tsx is a TypeScript runner referenced in scripts/config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:is-ci | AI (phantom-deps): is-ci is referenced in config files, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:vue-tsc | AI (phantom-deps): vue-tsc is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:@dword-design/ci | AI (phantom-deps): Author's own CI package, same org scope, referenced in config. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:eslint | AI (phantom-deps): eslint is a CLI tool referenced in generated config files, not directly imported. Expected pattern for a project scaffolding base package. | ai | |
| phantom-deps | phantom-dep:husky | AI (phantom-deps): husky is a git-hooks tool invoked via CLI/config, not directly imported. Expected for a scaffolding base package. | ai | |
| phantom-deps | phantom-dep:commitizen | AI (phantom-deps): commitizen is a CLI tool referenced in config, not directly imported. Expected for a scaffolding base package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 16.2.6 | 55 / 10 | |
| 16.2.5 | 55 / 10 | |
| 16.0.7 | 54 / 10 | |
| 16.0.5 | 54 / 10 | |
| 16.0.0 | 54 / 10 | |
| 15.5.3 | 54 / 10 | |
| 15.5.2 | 54 / 10 | |
| 15.4.2 | 54 / 9 |
v16.2.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.7
2 findingsThis version was published by a different npm account than previous versions on 2025-11-23. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v15.5.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.