@dword-design/base-config-node MIT 9 versions

@dword-design/base-config-node

npm Repository Homepage

# @dword-design/base-config-node

9

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dword-design

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions as part of a legitimate CI/CD migration; SLSA provenance attestation confirms integrity. This pattern is stable for this package going forward.	ai	2026/04/27
phantom-deps	phantom-dep:mkdist	AI (phantom-deps): mkdist is invoked via build config, not direct import. Expected pattern for a build configuration package.	ai	2026/04/25
phantom-deps	phantom-dep:vue-tsc	AI (phantom-deps): vue-tsc is a CLI tool invoked via config, not directly imported. Expected for a build config package.	ai	2026/04/25
phantom-deps	phantom-dep:typescript	AI (phantom-deps): typescript is a toolchain dependency used via config, not directly imported. Standard pattern for build config packages.	ai	2026/04/25
phantom-deps	phantom-dep:vue	AI (phantom-deps): Build config package; vue is referenced in config files as a peer tool, not directly imported. Expected pattern for this type of package.	ai	2026/04/25
phantom-deps	phantom-dep:babel-plugin-module-resolver	AI (phantom-deps): Babel plugin referenced in config, not directly imported. Standard pattern for build config packages.	ai	2026/04/25
phantom-deps	phantom-dep:babel-plugin-add-import-extension	AI (phantom-deps): Babel plugin referenced in config, not directly imported. Standard pattern for build config packages.	ai	2026/04/25
phantom-deps	phantom-dep:vue-sfc-transformer	AI (phantom-deps): vue-sfc-transformer is referenced in config files as a transform tool, not directly imported. Expected for this package type.	ai	2026/04/25

Versions (showing 9 of 9)

Version	Deps	Published
5.0.5	16 / 5	2026-04-25
5.0.4	16 / 5	2026-04-14
5.0.3	16 / 5	2025-12-28
5.0.2	16 / 5	2025-12-05
5.0.1	16 / 5	2025-11-22
5.0.0	16 / 5	2025-11-22
4.0.4	16 / 5	2025-11-15
4.0.3	16 / 5	2025-11-15
4.0.2	16 / 5	2025-11-15

v5.0.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.3

2 findings

HIGH Publisher changed: dword-design → GitHub Actions (on 2025-12-28) provenance

This version was published by a different npm account than previous versions on 2025-12-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.2

2 findings

HIGH Publisher changed: dword-design → GitHub Actions (on 2025-12-05) provenance

This version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

2 findings

HIGH Publisher changed: dword-design → GitHub Actions (on 2025-11-22) provenance

This version was published by a different npm account than previous versions on 2025-11-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

2 findings

HIGH Publisher changed: dword-design → GitHub Actions (on 2025-11-22) provenance

This version was published by a different npm account than previous versions on 2025-11-22. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.