@framers/agentos
Modular AgentOS orchestration library
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/emergent/SandboxedToolForge.js | AI (source-diff): SandboxedToolForge is a documented sandboxing utility; net+exec combination is intentional and security-hardened. | ai | |
| source-diff | net-exec-file:dist/emergent/SandboxedToolForge.d.ts | AI (source-diff): Type declaration file for SandboxedToolForge; same rationale as the .js file — intentional sandbox design. | ai | |
| dependencies | unvetted-peer-dep:hnswlib-node | AI (dependencies): Peer dependency for optional vector search functionality; consumers control inclusion and vetting. | ai | |
| dependencies | unvetted-peer-dep:ppu-paddle-ocr | AI (dependencies): Peer dependency for optional OCR functionality; consumers control inclusion and vetting. | ai | |
| dependencies | unvetted-peer-dep:@framers/sql-storage-adapter | AI (dependencies): Peer dependency for optional SQL storage; marked optional in peerDependenciesMeta; consumers control inclusion. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package is an AI orchestration library with many optional modules; large source file additions are expected with minor version bumps as new capabilities are added. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate orchestration library with active maintenance (263 versions, 5.7k weekly downloads). Spam signals are weak metadata heuristics; no malware indicators present. | ai | |
| dependencies | unvetted-dep:natural | AI (dependencies): natural is a well-established NLP library; its use is consistent with this package's NLP/orchestration purpose and poses no security risk. | ai | |
| phantom-deps | phantom-dep:openredaction | AI (phantom-deps): openredaction is declared in dependencies and referenced in config; phantom-dep flag is a minor packaging concern, not a security issue for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 263 versions and 5.7k weekly downloads; lack of provenance is common and not a security disqualifier for this package. | ai |
Versions (showing 100 of 396)
| Version | Deps | Published |
|---|---|---|
| 0.6.1 | 19 / 32 | |
| 0.6.0 | 19 / 32 | |
| 0.5.15 | 19 / 32 | |
| 0.5.14 | 19 / 32 | |
| 0.5.13 | 19 / 32 | |
| 0.5.12 | 19 / 32 | |
| 0.5.10 | 19 / 32 | |
| 0.5.9 | 19 / 32 | |
| 0.5.8 | 19 / 32 | |
| 0.5.7 | 19 / 32 | |
| 0.5.6 | 19 / 32 | |
| 0.5.5 | 19 / 32 | |
| 0.5.4 | 19 / 32 | |
| 0.5.3 | 19 / 32 | |
| 0.5.2 | 19 / 32 | |
| 0.5.1 | 19 / 32 | |
| 0.5.0 | 19 / 32 | |
| 0.4.1 | 19 / 32 | |
| 0.4.0 | 19 / 32 | |
| 0.3.4 | 19 / 32 | |
| 0.3.3 | 19 / 32 | |
| 0.3.2 | 19 / 32 | |
| 0.3.1 | 19 / 32 | |
| 0.3.0 | 19 / 32 | |
| 0.2.12 | 19 / 32 | |
| 0.2.11 | 19 / 32 | |
| 0.2.10 | 19 / 32 | |
| 0.2.9 | 19 / 32 | |
| 0.2.8 | 19 / 32 | |
| 0.2.7 | 19 / 32 | |
| 0.2.6 | 19 / 32 | |
| 0.2.5 | 19 / 32 | |
| 0.2.4 | 19 / 32 | |
| 0.2.3 | 19 / 32 | |
| 0.2.2 | 19 / 32 | |
| 0.2.1 | 19 / 32 | |
| 0.2.0 | 19 / 32 | |
| 0.1.255 | 19 / 32 | |
| 0.1.254 | 19 / 32 | |
| 0.1.253 | 19 / 32 | |
| 0.1.252 | 19 / 32 | |
| 0.1.251 | 19 / 32 | |
| 0.1.250 | 19 / 32 | |
| 0.1.249 | 19 / 32 | |
| 0.1.248 | 19 / 32 | |
| 0.1.247 | 19 / 32 | |
| 0.1.246 | 19 / 32 | |
| 0.1.245 | 19 / 32 | |
| 0.1.244 | 19 / 32 | |
| 0.1.243 | 19 / 32 | |
| 0.1.242 | 19 / 32 | |
| 0.1.241 | 19 / 32 | |
| 0.1.240 | 19 / 32 | |
| 0.1.239 | 19 / 32 | |
| 0.1.238 | 19 / 32 | |
| 0.1.237 | 19 / 32 | |
| 0.1.236 | 19 / 32 | |
| 0.1.235 | 19 / 32 | |
| 0.1.234 | 19 / 32 | |
| 0.1.233 | 19 / 32 | |
| 0.1.232 | 19 / 32 | |
| 0.1.231 | 19 / 32 | |
| 0.1.230 | 19 / 32 | |
| 0.1.229 | 19 / 32 | |
| 0.1.228 | 19 / 32 | |
| 0.1.227 | 19 / 32 | |
| 0.1.226 | 19 / 32 | |
| 0.1.225 | 19 / 32 | |
| 0.1.224 | 19 / 32 | |
| 0.1.223 | 19 / 32 | |
| 0.1.222 | 19 / 32 | |
| 0.1.221 | 19 / 32 | |
| 0.1.220 | 19 / 32 | |
| 0.1.219 | 19 / 32 | |
| 0.1.218 | 19 / 32 | |
| 0.1.217 | 19 / 32 | |
| 0.1.216 | 19 / 32 | |
| 0.1.215 | 19 / 32 | |
| 0.1.214 | 19 / 32 | |
| 0.1.213 | 19 / 32 | |
| 0.1.212 | 19 / 32 | |
| 0.1.211 | 19 / 32 | |
| 0.1.210 | 19 / 32 | |
| 0.1.209 | 19 / 32 | |
| 0.1.208 | 19 / 32 | |
| 0.1.207 | 19 / 32 | |
| 0.1.206 | 19 / 32 | |
| 0.1.205 | 19 / 32 | |
| 0.1.204 | 19 / 32 | |
| 0.1.203 | 19 / 32 | |
| 0.1.202 | 19 / 32 | |
| 0.1.201 | 19 / 32 | |
| 0.1.200 | 19 / 32 | |
| 0.1.199 | 19 / 32 | |
| 0.1.198 | 19 / 32 | |
| 0.1.197 | 19 / 32 | |
| 0.1.196 | 19 / 32 | |
| 0.1.195 | 19 / 32 | |
| 0.1.194 | 19 / 32 | |
| 0.1.193 | 19 / 32 |
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.255
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.254
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.253
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.252
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.251
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.250
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.249
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.248
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.247
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.246
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.245
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.244
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.243
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.242
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.241
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.240
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.239
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.238
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.237
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.236
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.235
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.234
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.233
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.232
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.231
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.230
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.229
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.228
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.227
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.226
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.225
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.224
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.223
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.222
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.221
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.220
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.219
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.218
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.217
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.216
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.215
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.214
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.213
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.212
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.211
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.210
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.209
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.208
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.207
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.206
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.205
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.204
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.203
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.202
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.201
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.199
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.198
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.197
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.196
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.195
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.194
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.193
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.