@polkadot/util
A collection of useful utilities for @polkadot
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@types/camelcase | AI (dependencies): @types/camelcase is the TypeScript type definitions for the well-known camelcase package; it is benign and consistent with this package's pattern of listing @types/* as runtime deps. | ai | |
| phantom-deps | phantom-dep:@types/camelcase | AI (phantom-deps): Listing @types/* packages as runtime deps without direct imports is a known pattern in this Polkadot TypeScript package; other @types/* phantom deps are already accepted. | ai | |
| phantom-deps | phantom-dep:@types/ip-regex | AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/xxhashjs | AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/deasync | AI (phantom-deps): @types packages are TypeScript type declarations consumed by tooling, not direct imports; phantom-dep firing on them is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@types/ip-regex | AI (dependencies): @types/ip-regex is a DefinitelyTyped TypeScript type definition package — benign by nature, no runtime code execution risk. | ai | |
| dependencies | unvetted-dep:@types/xxhashjs | AI (dependencies): @types/xxhashjs is a DefinitelyTyped TypeScript type definition package — benign by nature, no runtime code execution risk. | ai | |
| provenance | missing-githead | AI (provenance): Package is from a highly trusted publisher (jacogr, 8095 approved/0 rejected) with a 3000+ day history. Missing gitHead reflects a publish environment change, not a security concern for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): @polkadot/util is an actively developed utility library; adding new source files across minor versions is expected organic growth, not injected code. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): bn.js and keccak are well-established cryptographic libraries appropriate for a blockchain utility package; their addition is expected and legitimate. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects legitimate addition of crypto utilities (bn.js, keccak wrappers) in a growing blockchain utility library from a trusted publisher. | ai | |
| dependencies | unvetted-dep:keccak | AI (dependencies): keccak is a well-known cryptographic hash library standard in the blockchain/Ethereum ecosystem; legitimate dependency for @polkadot/util. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance adoption; publisher has 8083 approved packages and strong trust history. Not a meaningful risk signal here. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): babel-runtime is a legitimate runtime dependency used via babel-plugin-transform-runtime (Babel 6 pattern); not a phantom dep for this package. | ai | |
| provenance | publisher-changed | AI (provenance): paritytech-ci is Parity Technologies' CI publishing account with 111 approved packages; the polkadotjs→paritytech-ci transition is a known organizational consolidation, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): paritytech-ci is a verified Parity Technologies CI account with strong track record; addition is a legitimate organizational change. | ai | |
| phantom-deps | phantom-dep:@types/bn.js | AI (phantom-deps): @types/bn.js is a TypeScript type definition used by convention in the polkadot-js ecosystem; phantom dep finding is a stable false positive here. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is core functionality of @polkadot/util; Buffer.from(value, 'hex') is a standard, non-obfuscated utility operation. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): @polkadot/util is a well-known Polkadot ecosystem utility library, not a typosquat of uuid. The name similarity is purely coincidental. | ai |
Versions (showing 100 of 551)
| Version | Deps | Published |
|---|---|---|
| 0.26.17 | 9 / 0 | |
| 0.26.16 | 9 / 0 | |
| 0.26.15 | 9 / 0 | |
| 0.26.14 | 9 / 0 | |
| 0.26.13 | 9 / 0 | |
| 0.26.12 | 9 / 0 | |
| 0.26.11 | 9 / 0 | |
| 0.26.10 | 9 / 0 | |
| 0.26.9 | 9 / 0 | |
| 0.26.8 | 9 / 0 | |
| 0.26.6 | 8 / 0 | |
| 0.26.5 | 8 / 0 | |
| 0.26.4 | 8 / 0 | |
| 0.25.1 | 8 / 0 | |
| 0.24.9 | 8 / 0 | |
| 0.24.8 | 8 / 0 | |
| 0.24.7 | 8 / 0 | |
| 0.24.6 | 8 / 0 | |
| 0.24.5 | 8 / 0 | |
| 0.24.4 | 8 / 0 | |
| 0.24.3 | 8 / 0 | |
| 0.24.2 | 8 / 0 | |
| 0.24.1 | 8 / 0 | |
| 0.23.2 | 5 / 0 | |
| 0.23.1 | 5 / 0 | |
| 0.22.11 | 5 / 0 | |
| 0.22.10 | 5 / 0 | |
| 0.22.9 | 5 / 0 | |
| 0.22.8 | 5 / 0 | |
| 0.22.7 | 5 / 0 | |
| 0.22.6 | 5 / 0 | |
| 0.22.5 | 4 / 0 | |
| 0.22.4 | 4 / 0 | |
| 0.22.3 | 4 / 0 | |
| 0.22.2 | 4 / 0 | |
| 0.22.1 | 4 / 0 | |
| 0.21.3 | 4 / 0 | |
| 0.21.2 | 4 / 0 | |
| 0.21.1 | 4 / 0 | |
| 0.20.5 | 4 / 1 | |
| 0.20.4 | 4 / 1 | |
| 0.20.3 | 4 / 1 | |
| 0.20.2 | 4 / 1 | |
| 0.20.1 | 4 / 1 | |
| 0.19.9 | 4 / 1 | |
| 0.19.8 | 4 / 1 | |
| 0.19.7 | 4 / 1 | |
| 0.19.6 | 4 / 1 | |
| 0.19.5 | 4 / 1 | |
| 0.19.4 | 4 / 1 | |
| 0.19.3 | 4 / 1 | |
| 0.19.2 | 4 / 1 | |
| 0.19.1 | 4 / 1 | |
| 0.18.6 | 4 / 1 | |
| 0.18.5 | 4 / 1 | |
| 0.18.4 | 4 / 1 | |
| 0.18.3 | 4 / 1 | |
| 0.18.2 | 4 / 1 | |
| 0.18.1 | 4 / 1 | |
| 0.17.4 | 4 / 1 | |
| 0.17.3 | 4 / 1 | |
| 0.17.2 | 4 / 1 | |
| 0.17.1 | 4 / 1 | |
| 0.16.6 | 4 / 1 | |
| 0.16.5 | 4 / 1 | |
| 0.16.4 | 4 / 1 | |
| 0.16.3 | 4 / 1 | |
| 0.16.2 | 4 / 1 | |
| 0.16.1 | 4 / 1 | |
| 0.15.10 | 4 / 1 | |
| 0.15.9 | 4 / 1 | |
| 0.15.8 | 4 / 1 | |
| 0.15.7 | 4 / 1 | |
| 0.15.6 | 4 / 1 | |
| 0.15.5 | 4 / 1 | |
| 0.15.4 | 4 / 1 | |
| 0.15.3 | 4 / 1 | |
| 0.15.2 | 4 / 1 | |
| 0.15.1 | 4 / 1 | |
| 0.14.11 | 4 / 1 | |
| 0.14.10 | 4 / 1 | |
| 0.14.9 | 4 / 1 | |
| 0.14.8 | 4 / 1 | |
| 0.14.7 | 4 / 1 | |
| 0.14.6 | 4 / 1 | |
| 0.14.5 | 4 / 1 | |
| 0.14.4 | 4 / 1 | |
| 0.14.3 | 4 / 1 | |
| 0.14.2 | 4 / 1 | |
| 0.14.1 | 4 / 1 | |
| 0.13.9 | 4 / 1 | |
| 0.13.8 | 4 / 1 | |
| 0.13.7 | 4 / 1 | |
| 0.13.6 | 4 / 1 | |
| 0.13.5 | 4 / 1 | |
| 0.13.4 | 4 / 1 | |
| 0.13.3 | 4 / 1 | |
| 0.13.2 | 4 / 2 | |
| 0.13.1 | 4 / 2 | |
| 0.12.3 | 5 / 2 |
v0.26.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
v0.18.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
v0.18.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
v0.18.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
v0.18.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
v0.18.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jacogr.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.