@n8n/ai-utilities
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase driven by bundled tiktoken tokenizer JSON files, consistent with js-tiktoken dependency addition. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are tokenizer JSON data assets (tiktoken), not injected code. | ai | |
| dependencies | unvetted-dep:@n8n/typescript-config | AI (dependencies): Same org (@n8n) build/TS config tooling; not a runtime dep concern. | ai | |
| provenance | no-provenance | AI (provenance): n8n org package; lack of provenance is common and no other risk signals present. | ai | |
| phantom-deps | phantom-dep:langchain | AI (phantom-deps): langchain is a declared runtime dependency; phantom-dep heuristic misfires on this package's usage pattern. | ai | |
| phantom-deps | phantom-dep:@n8n/typescript-config | AI (phantom-deps): Build/tsconfig dep; not directly imported at runtime. Stable false positive. | ai | |
| phantom-deps | phantom-dep:@n8n/config | AI (phantom-deps): Same-org dep used in config context; stable false positive for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 0.17.0 | 17 / 6 | |
| 0.16.1 | 15 / 6 | |
| 0.16.0 | 15 / 6 | |
| 0.15.1 | 15 / 6 | |
| 0.14.1 | 15 / 6 | |
| 0.14.0 | 15 / 6 | |
| 0.12.0 | 15 / 6 | |
| 0.11.0 | 15 / 6 | |
| 0.9.0 | 15 / 6 | |
| 0.3.1 | 16 / 4 | |
| 0.3.0 | 16 / 4 | |
| 0.2.1 | 16 / 4 | |
| 0.2.0 | 16 / 4 |
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.