@pnpm/store-path — Greenflagged

Resolves the pnpm store path

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

pnpmuserzkochan

pnpmpnpm10store

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:can-link	AI (dependencies): can-link is a stable pnpm ecosystem utility dependency present in prior approved versions; no malicious signals.	ai	2026/04/25
dependencies	unvetted-dep:path-temp	AI (dependencies): path-temp is a stable pnpm ecosystem utility dependency present in prior approved versions; no malicious signals.	ai	2026/04/25
dependencies	unvetted-dep:root-link-target	AI (dependencies): root-link-target is a stable pnpm ecosystem utility dependency present in prior approved versions; no malicious signals.	ai	2026/04/25
provenance	no-provenance	AI (provenance): pnpm monorepo packages historically lack Sigstore provenance; this is consistent across all @pnpm/* packages and not a security concern for this well-established publisher.	ai	2026/04/25

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.