@kong/kongponents
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/kongponents260.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; expected build output for this Vue component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents264.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; expected build output for this Vue component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents277.cjs | AI (source-diff): Standard Vite/Rollup minified build output for a Vue component library; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents355.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; lodash-es environment detection pattern, not malware. | ai | |
| source-diff | net-exec-file:dist/kongponents.es355.js | AI (source-diff): Same lodash-es global detection in ESM build chunk; not a dropper. | ai | |
| source-diff | net-exec-file:dist/kongponents355.cjs | AI (source-diff): Function('return this')() is lodash-es global detection; no actual network+exec dropper pattern. | ai | |
| source-diff | obfuscated-file:dist/kongponents274.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; readable Vue component logic visible in sample. | ai | |
| source-diff | obfuscated-file:dist/kongponents261.cjs | AI (source-diff): Minified Vite/Rollup CJS bundle output; normal for this package's build process across all versions. | ai | |
| source-diff | obfuscated-file:dist/kongponents204.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; normal build output for this Vue component library. | ai | |
| source-diff | net-exec-file:dist/kongponents369.cjs | AI (source-diff): Function('return this') is a lodash globalThis polyfill pattern, not a dropper; no actual network calls. | ai | |
| source-diff | net-exec-file:dist/kongponents.es369.js | AI (source-diff): Same lodash globalThis polyfill in ES module build; legitimate bundled dependency. | ai | |
| source-diff | obfuscated-file:dist/kongponents369.cjs | AI (source-diff): Contains lodash/focus-trap minified; legitimate build artifact from Vite bundling. | ai | |
| source-diff | obfuscated-file:dist/kongponents171.cjs | AI (source-diff): Vite/Rollup minified build output for a Vue component library; sample shows SVG/component code, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/kongponents.es357.js | AI (source-diff): ESM chunk from Vite build; same pattern as CJS chunk, no malicious indicators. | ai | |
| source-diff | net-exec-file:dist/kongponents357.cjs | AI (source-diff): Minified Vue/lodash bundle; network refs are fetch API usage in UI components, not dropper behavior. | ai | |
| source-diff | obfuscated-file:dist/kongponents357.cjs | AI (source-diff): Vite-generated minified chunk; normal build output for this Vue component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents250.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; CalendarWrapper component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/kongponents255.cjs | AI (source-diff): Standard Vite CJS chunk containing focus-trap library with MIT license header. | ai | |
| source-diff | obfuscated-file:dist/kongponents186.cjs | AI (source-diff): Standard Vite CJS chunk; readable Vue component code, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/kongponents259.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk with bundled focus-trap; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/kongponents271.cjs | AI (source-diff): Contains recognizable floating-ui positioning logic; minified CJS chunk from Vite build, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents106.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents300.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents265.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents148.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents144.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents133.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents129.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents127.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents125.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents123.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents120.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents116.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents110.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents108.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library. | ai | |
| source-diff | obfuscated-file:dist/kongponents100.cjs | AI (source-diff): Standard Vite CJS build chunk for Kong component library; minified but not malicious. | ai | |
| source-diff | obfuscated-file:dist/kongponents249.cjs | AI (source-diff): Standard Vite CJS chunk output; readable Vue component (ColumnVisibilityMenu) logic. | ai | |
| source-diff | obfuscated-file:dist/kongponents306.cjs | AI (source-diff): Standard Vite CJS chunk output; floating-ui DOM utilities, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/kongponents241.cjs | AI (source-diff): Standard Vite CJS chunk output; CalendarWrapper component code, not malicious. | ai | |
| source-diff | obfuscated-file:dist/kongponents263.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; readable Vue component code, not obfuscated. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Component library with many Vite build chunks; large file count is expected for this package. | ai | |
| source-diff | obfuscated-file:dist/kongponents362.cjs | AI (source-diff): Standard Vite CJS chunk; contains readable date-fns parsing code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents280.cjs | AI (source-diff): Standard Vite CJS chunk; contains readable tabbable 6.4.0 source, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents332.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk containing vue-draggable-next/sortablejs; no malicious content. | ai | |
| source-diff | obfuscated-file:dist/kongponents164.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/kongponents161.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/kongponents159.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/kongponents157.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/kongponents246.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/kongponents257.cjs | AI (source-diff): Standard Vite minified CJS chunk; focus-trap library code with MIT license header. | ai | |
| source-diff | obfuscated-file:dist/kongponents22.cjs | AI (source-diff): Standard Vite minified CJS chunk; readable Vue component code. | ai | |
| source-diff | obfuscated-file:dist/kongponents258.cjs | AI (source-diff): Minified Vite/Rollup CJS build chunk; standard for this component library's build output. | ai | |
| provenance | publisher-changed | AI (provenance): Kong migrated to GitHub Actions CI publishing with SLSA attestation; this is the expected publisher going forward. | ai | |
| source-diff | obfuscated-file:dist/kongponents327.cjs | AI (source-diff): Minified Rollup/Vite bundle of declared deps (vue-draggable-next, sortablejs); not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents267.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/kongponents252.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/kongponents201.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; content is Vue component + SVG icon code, not malicious. | ai | |
| source-diff | obfuscated-file:dist/kongponents285.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; content is date-fns formatting logic, not malicious. | ai | |
| source-diff | obfuscated-file:dist/kongponents244.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable floating-ui DOM utilities, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/kongponents273.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk output for a Vue component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents269.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk output for a Vue component library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents254.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; focus-trap attribution visible in file header. Normal for this package. | ai | |
| source-diff | obfuscated-file:dist/kongponents251.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; readable Vue component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents247.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; readable Vue component code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/kongponents253.cjs | AI (source-diff): Standard Vite/Rollup minified CJS chunk; readable Vue component code, not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:@popperjs/core | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:date-fns-tz | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:@kong/icons | AI (phantom-deps): Same org scope; used indirectly in component library. | ai | |
| phantom-deps | phantom-dep:sortablejs | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling, not direct imports. | ai | |
| phantom-deps | phantom-dep:virtua | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:vue-draggable-next | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:@floating-ui/vue | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai | |
| phantom-deps | phantom-dep:focus-trap-vue | AI (phantom-deps): Large component library; deps used indirectly or via config/build tooling. | ai |
Versions (showing 71 of 171)
| Version | Deps | Published |
|---|---|---|
| 9.38.5 | 14 / 55 | |
| 9.38.4 | 14 / 55 | |
| 9.38.3 | 14 / 55 | |
| 9.38.2 | 14 / 55 | |
| 9.38.1 | 14 / 55 | |
| 9.38.0 | 14 / 55 | |
| 9.37.2 | 14 / 55 | |
| 9.37.1 | 14 / 55 | |
| 9.37.0 | 14 / 55 | |
| 9.36.13 | 14 / 55 | |
| 9.36.12 | 14 / 55 | |
| 9.36.11 | 14 / 55 | |
| 9.36.10 | 14 / 55 | |
| 9.36.9 | 14 / 55 | |
| 9.36.8 | 14 / 55 | |
| 9.36.7 | 14 / 55 | |
| 9.36.6 | 14 / 55 | |
| 9.36.5 | 14 / 55 | |
| 9.36.4 | 14 / 55 | |
| 9.36.3 | 14 / 55 | |
| 9.36.2 | 14 / 55 | |
| 9.36.1 | 14 / 55 | |
| 9.36.0 | 14 / 55 | |
| 9.35.11 | 14 / 55 | |
| 9.35.10 | 14 / 55 | |
| 9.35.9 | 14 / 55 | |
| 9.35.8 | 14 / 55 | |
| 9.35.7 | 14 / 55 | |
| 9.35.6 | 14 / 55 | |
| 9.35.5 | 14 / 55 | |
| 9.35.4 | 14 / 55 | |
| 9.35.3 | 14 / 55 | |
| 9.35.2 | 14 / 55 | |
| 9.35.1 | 14 / 55 | |
| 9.35.0 | 14 / 55 | |
| 9.34.2 | 14 / 55 | |
| 9.34.1 | 14 / 55 | |
| 9.34.0 | 14 / 55 | |
| 9.33.3 | 14 / 55 | |
| 9.33.2 | 14 / 55 | |
| 9.33.1 | 14 / 55 | |
| 9.33.0 | 14 / 55 | |
| 9.32.7 | 14 / 55 | |
| 9.32.6 | 14 / 55 | |
| 9.32.5 | 14 / 55 | |
| 9.32.4 | 14 / 55 | |
| 9.32.3 | 14 / 55 | |
| 9.32.2 | 14 / 55 | |
| 9.32.1 | 14 / 55 | |
| 9.32.0 | 14 / 55 | |
| 9.31.10 | 14 / 55 | |
| 9.31.9 | 14 / 55 | |
| 9.31.8 | 14 / 55 | |
| 9.31.7 | 14 / 55 | |
| 9.31.6 | 14 / 55 | |
| 9.31.5 | 14 / 55 | |
| 9.31.4 | 14 / 55 | |
| 9.31.3 | 14 / 55 | |
| 9.31.2 | 14 / 55 | |
| 9.31.1 | 14 / 55 | |
| 9.31.0 | 14 / 55 | |
| 9.30.2 | 14 / 55 | |
| 9.30.1 | 14 / 55 | |
| 9.30.0 | 14 / 55 | |
| 9.29.11 | 14 / 55 | |
| 9.29.10 | 14 / 55 | |
| 9.29.9 | 14 / 55 | |
| 9.29.8 | 14 / 55 | |
| 9.29.7 | 14 / 55 | |
| 9.29.6 | 14 / 55 | |
| 9.29.5 | 14 / 55 |
v9.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.38.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.38.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.38.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.37.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.37.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.37.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.36.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.34.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.33.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.33.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.33.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.30.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.29.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.29.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.