@finos/legend-extension-store-relational
Legend extension for Relational store
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:serializr | AI (dependencies): serializr is a well-known serialization library; stable dependency for this package across versions. | ai | |
| provenance | no-provenance | AI (provenance): Established FINOS org package; lack of provenance is common and not a risk indicator here. | ai | |
| phantom-deps | phantom-dep:serializr | AI (phantom-deps): Config-file reference in monorepo; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped type package; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:mobx-react-lite | AI (phantom-deps): Monorepo config reference; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@finos/legend-art | AI (phantom-deps): Same-org monorepo sibling; phantom-dep heuristic unreliable here. | ai | |
| phantom-deps | phantom-dep:mobx | AI (phantom-deps): Monorepo peer/config reference pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@finos/legend-shared | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-storage | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-application | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-application-studio | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@finos/legend-graph | AI (phantom-deps): Same-org monorepo sibling; stable false positive. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Declared as peerDependency; phantom-dep heuristic fires incorrectly for peer deps. | ai |
Versions (showing 64 of 165)
| Version | Deps | Published |
|---|---|---|
| 0.0.442 | 11 / 9 | |
| 0.0.441 | 11 / 9 | |
| 0.0.440 | 11 / 9 | |
| 0.0.439 | 11 / 9 | |
| 0.0.438 | 11 / 9 | |
| 0.0.437 | 11 / 9 | |
| 0.0.436 | 11 / 9 | |
| 0.0.435 | 11 / 9 | |
| 0.0.434 | 11 / 9 | |
| 0.0.433 | 11 / 9 | |
| 0.0.432 | 11 / 9 | |
| 0.0.431 | 11 / 9 | |
| 0.0.430 | 11 / 9 | |
| 0.0.429 | 11 / 9 | |
| 0.0.428 | 11 / 9 | |
| 0.0.427 | 11 / 9 | |
| 0.0.426 | 11 / 9 | |
| 0.0.425 | 11 / 9 | |
| 0.0.424 | 11 / 9 | |
| 0.0.423 | 11 / 9 | |
| 0.0.422 | 11 / 9 | |
| 0.0.421 | 11 / 9 | |
| 0.0.420 | 11 / 9 | |
| 0.0.419 | 11 / 9 | |
| 0.0.418 | 11 / 9 | |
| 0.0.417 | 11 / 9 | |
| 0.0.416 | 11 / 9 | |
| 0.0.415 | 11 / 9 | |
| 0.0.414 | 11 / 9 | |
| 0.0.413 | 11 / 9 | |
| 0.0.412 | 11 / 9 | |
| 0.0.411 | 11 / 9 | |
| 0.0.410 | 11 / 9 | |
| 0.0.409 | 11 / 9 | |
| 0.0.408 | 11 / 9 | |
| 0.0.407 | 11 / 9 | |
| 0.0.406 | 11 / 9 | |
| 0.0.405 | 11 / 9 | |
| 0.0.404 | 11 / 9 | |
| 0.0.403 | 11 / 9 | |
| 0.0.402 | 11 / 9 | |
| 0.0.401 | 11 / 9 | |
| 0.0.400 | 11 / 9 | |
| 0.0.399 | 11 / 9 | |
| 0.0.398 | 11 / 9 | |
| 0.0.397 | 11 / 9 | |
| 0.0.396 | 11 / 9 | |
| 0.0.395 | 11 / 9 | |
| 0.0.394 | 11 / 9 | |
| 0.0.393 | 11 / 9 | |
| 0.0.392 | 11 / 9 | |
| 0.0.391 | 11 / 9 | |
| 0.0.390 | 11 / 9 | |
| 0.0.389 | 11 / 9 | |
| 0.0.388 | 11 / 9 | |
| 0.0.387 | 11 / 9 | |
| 0.0.386 | 11 / 9 | |
| 0.0.385 | 11 / 9 | |
| 0.0.384 | 11 / 9 | |
| 0.0.383 | 11 / 9 | |
| 0.0.382 | 11 / 9 | |
| 0.0.381 | 11 / 9 | |
| 0.0.380 | 11 / 9 | |
| 0.0.379 | 11 / 9 |
v0.0.442
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.441
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.440
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.439
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.438
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.437
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.436
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.435
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.434
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.433
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.432
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.431
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.430
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.429
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.428
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.427
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.426
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.425
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.424
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.423
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.422
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.421
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.420
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.419
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.418
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.417
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.416
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.415
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.414
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.413
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.412
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.411
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.410
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.409
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.408
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.407
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.406
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.405
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.404
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.403
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.402
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.401
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.400
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.399
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.398
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.397
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.396
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.395
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.394
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.393
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.392
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.391
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.390
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.389
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.388
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.387
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.386
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.385
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.384
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.383
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.382
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.381
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.380
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.379
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.