@milaboratories/pl-deployments
MiLaboratories Platforma Backend code service run wrapper
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): mike-ainsel is an established publisher (859 approved); transition within @milaboratories org appears legitimate. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env to build child-process environment for binary launch; standard pattern, not exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP references are 127.0.0.1 in test files only; no production exfiltration risk. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): yaml is a declared runtime dep used in config handling; phantom-dep heuristic false positive. | ai |
Versions (showing 14 of 114)
| Version | Deps | Published |
|---|---|---|
| 2.4.1 | 9 / 16 | |
| 2.4.0 | 9 / 16 | |
| 2.3.3 | 9 / 16 | |
| 2.3.2 | 9 / 16 | |
| 2.3.1 | 9 / 16 | |
| 2.3.0 | 9 / 16 | |
| 2.2.5 | 9 / 16 | |
| 2.2.4 | 9 / 16 | |
| 2.2.3 | 9 / 16 | |
| 2.2.2 | 9 / 16 | |
| 2.2.1 | 9 / 16 | |
| 2.2.0 | 9 / 16 | |
| 2.1.3 | 9 / 16 | |
| 2.1.2 | 9 / 16 |
v2.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.