@powerlines/plugin-date
A package containing a Powerlines plugin for injecting static .env configuration values to the code so that they're accessible at runtime.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from stormie-bot to GitHub Actions with SLSA provenance attestation — this is a supply chain improvement (CI/CD automation), not a compromise indicator. | ai | |
| source-diff | obfuscated-file:dist/deepkit/src/capnp.cjs | AI (source-diff): Minified rolldown bundle output, not obfuscated malware. Code handles Cap'n Proto serialization for type reflection — legitimate build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/alloy/src/create-plugin.cjs | AI (source-diff): Minified rolldown bundle output. Code implements plugin creation with @alloy-js code generation — consistent with package purpose. | ai | |
| source-diff | obfuscated-file:dist/plugin-env/src/components/env.cjs | AI (source-diff): Minified rolldown bundle output. Code generates TypeScript env interfaces — legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/plugin-env/src/index.cjs | AI (source-diff): Minified rolldown bundle output. Code implements env plugin configuration — legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/plugin-env/src/helpers/persistence.cjs | AI (source-diff): Minified rolldown bundle output. Code handles Cap'n Proto serialization for env type persistence — legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/plugin-env/src/helpers/reflect.cjs | AI (source-diff): Minified rolldown bundle output. Code creates reflection classes for env/secrets configuration — legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/deepkit/schemas/reflection.cjs | AI (source-diff): Minified rolldown bundle output. Code defines Cap'n Proto struct classes for type reflection schemas — legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/deepkit/schemas/reflection2.cjs | AI (source-diff): Minified rolldown bundle output. Code defines Cap'n Proto struct classes (updated version) — legitimate build artifact. | ai | |
| phantom-deps | phantom-dep:@stryke/path | AI (phantom-deps): Declared dependency referenced in config files; typical for monorepo build tooling. | ai | |
| phantom-deps | phantom-dep:@powerlines/plugin-env | AI (phantom-deps): Same-org scoped dependency; legitimate for plugin ecosystem integration. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Declared dependency referenced in config files; expected for Storm Software monorepo packages. | ai | |
| phantom-deps | phantom-dep:powerlines | AI (phantom-deps): Legitimate dependency for Powerlines plugin; referenced in config and used indirectly through plugin system. | ai | |
| dependencies | unvetted-dep:powerlines | AI (dependencies): Part of the same Storm Software/Powerlines monorepo ecosystem; sibling package not yet greenflagged, not an independent risk. | ai | |
| dependencies | unvetted-dep:@powerlines/plugin-env | AI (dependencies): Sibling package in the same @powerlines monorepo; unvetted only because it hasn't been greenflagged yet, not due to independent risk. | ai | |
| dependencies | unvetted-dep:@storm-software/config-tools | AI (dependencies): Storm Software ecosystem package; consistent organizational identity across all findings, not an independent risk signal. | ai | |
| dependencies | unvetted-dep:@stryke/path | AI (dependencies): Storm Software ecosystem package (@stryke scope); consistent organizational identity, not an independent risk signal. | ai |
Versions (showing 100 of 373)
v0.12.109
10 findingsThis version was published by a different npm account than previous versions on 2025-12-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.56
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.