@prisma/dev
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:valibot | AI (phantom-deps): Declared dep; phantom-dep heuristic fires on bundled packages. | ai | |
| source-diff | obfuscated-file:dist/engine-XP6YJ63T.js | AI (source-diff): tsup-bundled query-engine wrapper; readable imports, spawns prisma engine binary as expected. | ai | |
| source-diff | obfuscated-file:dist/accelerate-5FDEK4T6.js | AI (source-diff): tsup-bundled output for hono/valibot accelerate proxy; readable imports, no obfuscation. | ai | |
| phantom-deps | phantom-dep:@electric-sql/pglite | AI (phantom-deps): Runtime dep used via config/dynamic wiring; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pglite-server | AI (phantom-deps): Referenced in config files as expected for this local Postgres dev-server package. | ai | |
| phantom-deps | phantom-dep:pathe | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:foreground-child | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:@hono/node-server | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:http-status-codes | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:std-env | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:env-paths | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:proper-lockfile | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:@prisma/get-platform | AI (phantom-deps): Same-org dep; stable false positive for Prisma packages. | ai | |
| phantom-deps | phantom-dep:@electric-sql/pglite-tools | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:@electric-sql/pglite-socket | AI (phantom-deps): Declared runtime dep; bundled output pattern. | ai | |
| phantom-deps | phantom-dep:hono | AI (phantom-deps): Declared runtime dep; bundled ESM package may not show direct imports to static analyzer. | ai | |
| phantom-deps | phantom-dep:read-last-lines-ts | AI (phantom-deps): Package is a declared runtime dep used indirectly via bundled dist; phantom-dep heuristic is a false positive here. | ai | |
| source-diff | obfuscated-file:dist/accelerate-UHQZHRYG.js | AI (source-diff): Minified tsup bundle output with readable imports; not obfuscation. Stable for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): @prisma scoped package with 830 versions; dormancy is normal release cadence variation. | ai | |
| source-diff | obfuscated-file:dist/accelerate-EEKAFGN3.js | AI (source-diff): Minified ESM bundle from tsup; content is readable and matches declared deps. Normal for this package. | ai | |
| source-diff | obfuscated-file:dist/accelerate-ZET2GIPN.js | AI (source-diff): Minified ESM bundle output from tsup; readable imports confirm legitimate build artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/accelerate-HABH6RJU.js | AI (source-diff): Standard tsup/esbuild bundle output; sample shows legitimate Prisma/Hono imports, not obfuscation. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @prisma package; Levenshtein match to 'ajv' is a false positive with no semantic relationship. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.24.7 | 17 / 13 | |
| 0.24.6 | 17 / 13 | |
| 0.24.5 | 17 / 12 | |
| 0.24.4 | 17 / 12 | |
| 0.24.3 | 17 / 12 | |
| 0.22.2 | 17 / 12 | |
| 0.22.1 | 17 / 12 | |
| 0.22.0 | 17 / 12 | |
| 0.21.0 | 17 / 12 | |
| 0.20.0 | 17 / 10 | |
| 0.19.1 | 17 / 10 | |
| 0.19.0 | 17 / 10 | |
| 0.18.0 | 17 / 10 | |
| 0.17.0 | 17 / 10 | |
| 0.16.1 | 17 / 10 | |
| 0.16.0 | 17 / 10 | |
| 0.15.0 | 17 / 10 | |
| 0.14.0 | 17 / 10 | |
| 0.13.0 | 17 / 10 | |
| 0.12.0 | 18 / 10 | |
| 0.10.0 | 15 / 10 | |
| 0.9.0 | 17 / 10 | |
| 0.6.1 | 15 / 10 | |
| 0.5.0 | 16 / 9 | |
| 0.3.0 | 15 / 9 | |
| 0.1.1 | 8 / 7 | |
| 0.1.0 | 8 / 7 | |
| 0.0.2 | 4 / 5 | |
| 0.0.1 | 3 / 5 |
v0.24.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.6
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.19.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.18.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.