@qlever-llc/trellis
Client-side Trellis runtime, models, and contract helpers for TypeScript applications.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:src/generate.ts | AI (source-diff): Downloads own GitHub release binary for trellis-generate CLI; documented pattern, uses new Function only for globalThis detection. | ai | |
| source-diff | obfuscated-file:src/sdk/_generated/auth/contract.ts | AI (source-diff): Generated SDK contract file with inlined JSON; long lines are data, not obfuscation. | ai | |
| source-diff | net-exec-file:src/_dnt.polyfills.ts | AI (source-diff): Standard dnt (Deno-to-Node) polyfill file; no actual network calls, only Object.hasOwn polyfill. | ai | |
| source-diff | obfuscated-file:esm/generated-sdk/auth/owned_api.js | AI (source-diff): Generated ESM SDK file with long import lists; not obfuscated, just machine-generated. | ai | |
| source-diff | obfuscated-file:src/sdk/_generated/core/contract.ts | AI (source-diff): Generated SDK contract file with inlined JSON; long lines are data, not obfuscation. | ai | |
| source-diff | net-exec-file:script/_dnt.polyfills.js | AI (source-diff): CJS equivalent of the dnt polyfill; same benign pattern. | ai | |
| source-diff | net-exec-file:script/generate.js | AI (source-diff): CJS equivalent of generate.js; same documented binary-fetch pattern from own repo. | ai | |
| source-diff | net-exec-file:esm/generate.js | AI (source-diff): Fetches versioned release binary from own GitHub repo; documented code-gen tool pattern. | ai | |
| source-diff | net-exec-file:esm/_dnt.polyfills.js | AI (source-diff): dnt polyfill for import.meta; no remote code fetch, only globalThis ponyfill setup. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-http | AI (phantom-deps): Config-file reference only; phantom-dep heuristic false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Org-scoped package with clean publisher history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/semantic-conventions | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-trace-node | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/sdk-trace-base | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/resources | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:@nats-io/transport-node | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads a Deno transport specifier; controlled internal use, not user-supplied input. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used for error class type introspection — not obfuscation, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/exporter-trace-otlp-proto | AI (phantom-deps): Peer/optional dependency pattern; heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:ts-deepmerge | AI (phantom-deps): Declared but not directly imported; config-only reference, stable false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used solely as ESM dynamic import shim in CJS context; not evaluating arbitrary external input. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 0.10.17 | 21 / 1 | |
| 0.10.16 | 21 / 1 | |
| 0.10.15 | 21 / 1 | |
| 0.10.14 | 21 / 1 | |
| 0.10.13 | 21 / 1 | |
| 0.10.12 | 21 / 1 | |
| 0.10.11 | 19 / 1 | |
| 0.10.10 | 19 / 1 | |
| 0.10.9 | 19 / 1 | |
| 0.10.8 | 19 / 1 | |
| 0.10.7 | 19 / 1 | |
| 0.10.5 | 19 / 1 | |
| 0.10.4 | 19 / 1 | |
| 0.10.3 | 19 / 1 | |
| 0.10.2 | 19 / 1 | |
| 0.10.1 | 19 / 1 | |
| 0.8.4 | 20 / 1 | |
| 0.8.3 | 20 / 1 | |
| 0.8.2 | 20 / 1 | |
| 0.8.0 | 20 / 1 | |
| 0.7.0 | 19 / 1 | |
| 0.6.1 | 17 / 1 | |
| 0.6.0 | 17 / 1 | |
| 0.5.1 | 10 / 1 |
v0.10.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.13
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.12
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.11
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.10
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.9
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.8
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.7
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.5
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.4
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.3
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.2
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.