@sanity/migrate No license 28 versions

@sanity/migrate

npm Repository Homepage

28

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sanity-svc.npmsanity-io

Keywords

cmscontentheadlessmigratemigrationrealtimesanity

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/commands/migrations/create.js	AI (source-diff): SWC-compiled output with standard async/class helpers; not obfuscated, consistent with build tooling in package.json.	ai	2026/05/06
source-diff	source-size-tripled	AI (source-diff): v5→v6 major refactor; size increase consistent with added functionality, not injected payload.	ai	2026/05/06
source-diff	large-new-source-files	AI (source-diff): Major version bump with significant feature expansion; SLSA provenance confirms CI/CD build integrity.	ai	2026/05/06
phantom-deps	phantom-dep:@sanity/eslint-config-cli	AI (phantom-deps): Same-org eslint config referenced via config files, not direct imports — expected pattern.	ai	2026/05/06
phantom-deps	phantom-dep:@sanity/cli-test	AI (phantom-deps): Same-org package used as test infrastructure; declared but not directly imported is expected.	ai	2026/05/06
phantom-deps	phantom-dep:@oclif/plugin-help	AI (phantom-deps): Referenced in oclif config (package.json plugins field), not via direct import — expected pattern.	ai	2026/05/06
maintainer-change	maintainer-added	AI (maintainer-change): sanity-svc.npm is the Sanity org service account; stable maintainer transition for this package.	ai	2026/05/06
provenance	publisher-changed	AI (provenance): sanity-svc.npm is Sanity's org CI account; SLSA attestation confirms legitimate pipeline publish.	ai	2026/05/06
dependencies	unvetted-dep:@sanity/mutate	AI (dependencies): First-party Sanity dependency; consistent with package scope across versions.	ai	2026/04/30

Versions (showing 28 of 28)

Version	Deps	Published
6.1.2	10 / 18	2026-04-30
6.1.1	10 / 18	2026-03-31
6.1.0	10 / 18	2026-03-19
6.0.0	11 / 20	2026-03-10
5.2.5	16 / 20	2026-02-18
5.2.4	17 / 19	2026-02-11
5.2.3	17 / 28	2026-01-29
5.2.2	17 / 28	2026-01-14
5.2.1	17 / 28	2026-01-06
5.1.0	9 / 10	2025-12-22
5.0.1	9 / 10	2025-12-17
5.0.0	9 / 10	2025-12-16
4.22.0	9 / 10	2025-12-16
4.21.1	9 / 10	2025-12-11
4.21.0	9 / 10	2025-12-09
4.20.3	9 / 10	2025-12-04
4.20.2	9 / 10	2025-12-04
4.20.1	9 / 10	2025-12-04
4.20.0	9 / 10	2025-12-02
4.19.0	9 / 9	2025-11-26
4.18.0	9 / 9	2025-11-21
4.17.0	9 / 9	2025-11-20
4.16.0	9 / 9	2025-11-18
4.15.0	9 / 9	2025-11-11
4.14.2	9 / 9	2025-11-07
4.14.1	9 / 9	2025-11-06
4.14.0	9 / 9	2025-11-06
4.13.0	9 / 9	2025-11-03

v6.1.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.1.0

2 findings

HIGH New obfuscated file: dist/commands/migrations/create.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.22.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.18.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.17.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.16.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.15.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.14.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.14.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.14.0

2 findings

HIGH Publisher changed: sanity-io → sanity-svc.npm (on 2025-11-06) provenance

This version was published by a different npm account than previous versions on 2025-11-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.