@powerlines/plugin-rollup

A package containing a Powerlines plugin to assist in developing other Powerlines plugins.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

stormie-botsullivanpj

Keywords

rolluppowerlinesstorm-softwarepowerlines-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@powerlines/unplugin	AI (dependencies): Same-org dependency (@powerlines namespace); consistent with this package's internal ecosystem structure.	ai	2026/05/13
phantom-deps	phantom-dep:@rollup/plugin-alias	AI (phantom-deps): Framework-scoped rollup plugin loaded by convention; stable false positive for this package.	ai	2026/05/13
phantom-deps	phantom-dep:@rollup/plugin-babel	AI (phantom-deps): Framework-scoped rollup plugin loaded by convention; stable false positive for this package.	ai	2026/05/13
phantom-deps	phantom-dep:@rollup/plugin-inject	AI (phantom-deps): Framework-scoped rollup plugin loaded by convention; stable false positive for this package.	ai	2026/05/13
phantom-deps	phantom-dep:@rollup/plugin-replace	AI (phantom-deps): Framework-scoped rollup plugin loaded by convention; stable false positive for this package.	ai	2026/05/13
phantom-deps	phantom-dep:rollup-plugin-typescript2	AI (phantom-deps): Referenced in config files by convention; stable false positive for this rollup plugin package.	ai	2026/05/13
phantom-deps	phantom-dep:@rollup/plugin-node-resolve	AI (phantom-deps): Framework-scoped rollup plugin loaded by convention; stable false positive for this package.	ai	2026/05/13
phantom-deps	phantom-dep:@stryke/helpers	AI (phantom-deps): Same-org helper package referenced in config files; stable false positive for this package.	ai	2026/05/13
source-diff	obfuscated-file:dist/powerlines/src/api.cjs	AI (source-diff): Minified rolldown bundle output. Content is legitimate build tooling logic with standard npm imports. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/contexts/environment-context.cjs	AI (source-diff): Minified rolldown bundle output. Content is legitimate plugin context logic. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/schemas/fs.cjs	AI (source-diff): Minified rolldown bundle output with capnp schema definitions. Legitimate data structure code. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/internal/helpers/resolve-tsconfig.cjs	AI (source-diff): Minified rolldown bundle output. Content is TypeScript config resolution logic. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/build/rollup.cjs	AI (source-diff): Minified rolldown bundle output. Content is rollup build configuration logic. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/fs/vfs.cjs	AI (source-diff): Minified rolldown bundle output. Content is virtual filesystem implementation. No malicious patterns.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/contexts/api-context.mjs	AI (source-diff): Minified rolldown bundle output (ESM variant). Expected build artifact for this build tool plugin package.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/contexts/api-context.cjs	AI (source-diff): Minified rolldown/rollup bundle output, not obfuscated malware. Code is readable JS class definitions. Expected for a build tool plugin package.	ai	2026/04/27
source-diff	obfuscated-file:dist/powerlines/src/lib/contexts/context.cjs	AI (source-diff): Minified rolldown bundle output. Content is legitimate context class implementation. No malicious patterns.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): All new deps are established rollup ecosystem plugins or same-org @powerlines/* packages. Consistent with a legitimate refactor splitting functionality across packages.	ai	2026/04/27
provenance	publisher-changed	AI (provenance): Publisher changed from stormie-bot to GitHub Actions with SLSA provenance attestation — this is a CI/CD migration by the same org (Storm Software), not a hostile takeover.	ai	2026/04/27
phantom-deps	phantom-dep:unplugin	AI (phantom-deps): Unplugin is used in plugin configuration; phantom pattern is expected for Rollup plugins.	ai	2026/04/27
phantom-deps	phantom-dep:defu	AI (phantom-deps): Phantom dep pattern is expected for build tool plugins; defu is used in config context.	ai	2026/04/27
phantom-deps	phantom-dep:rollup	AI (phantom-deps): Rollup is a peer/plugin dependency used in config context; phantom pattern is stable for this package type.	ai	2026/04/27
phantom-deps	phantom-dep:powerlines	AI (phantom-deps): Powerlines is the parent framework used in config context; phantom pattern is stable.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/path	AI (phantom-deps): Phantom dep pattern is expected for build tool plugins; used in config context.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/convert	AI (phantom-deps): Phantom dep pattern is expected for build tool plugins; used in config context.	ai	2026/04/27
phantom-deps	phantom-dep:@stryke/type-checks	AI (phantom-deps): Phantom dep pattern is expected for build tool plugins; used in config context.	ai	2026/04/27
phantom-deps	phantom-dep:jiti	AI (phantom-deps): jiti is a well-known runtime TS loader; declared for config file usage, not a security concern for this package.	ai	2026/04/26
phantom-deps	phantom-dep:@powerlines/plugin-babel	AI (phantom-deps): Same org scope (@powerlines); sibling plugin dependency used in config files, not a security concern.	ai	2026/04/26
phantom-deps	phantom-dep:@stryke/types	AI (phantom-deps): Same publisher ecosystem (@stryke); type-only dependency declared for config usage, not a security concern.	ai	2026/04/26
phantom-deps	phantom-dep:@stryke/fs	AI (phantom-deps): Same publisher ecosystem (@stryke); declared for config file usage, not a security concern.	ai	2026/04/26