@scalar/agent-chat
Agent chat components
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@scalar/schemas | AI (dependencies): Same-org @scalar package; consistent with the rest of the dependency tree. | ai | |
| provenance | publisher-changed | AI (provenance): hanspagel is the established Scalar org maintainer with 63 approved packages; transition from bgrcs is a legitimate org handoff. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Scalar org maintainer consolidation; hanspagel is a known trusted publisher in the ecosystem. | ai | |
| dependencies | unvetted-dep:truncate-json | AI (dependencies): Small utility dep pinned to exact version; no malicious indicators. | ai | |
| dependencies | unvetted-dep:@scalar/icons | AI (dependencies): Same @scalar org scope; consistent with this package's dependency pattern. | ai | |
| dependencies | unvetted-dep:@scalar/use-toasts | AI (dependencies): Same @scalar org scope; consistent with this package's dependency pattern. | ai | |
| phantom-deps | phantom-dep:@scalar/themes | AI (phantom-deps): @scalar/themes is explicitly declared in dependencies; phantom-dep is a false positive for this package. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 0.12.5 | 19 / 10 | |
| 0.12.4 | 19 / 10 | |
| 0.12.3 | 19 / 10 | |
| 0.12.2 | 19 / 10 | |
| 0.12.1 | 19 / 10 | |
| 0.12.0 | 19 / 10 | |
| 0.10.13 | 18 / 8 | |
| 0.10.12 | 18 / 8 | |
| 0.10.11 | 18 / 8 | |
| 0.10.10 | 18 / 8 | |
| 0.10.8 | 18 / 5 | |
| 0.10.1 | 19 / 6 | |
| 0.10.0 | 19 / 6 | |
| 0.9.16 | 18 / 6 | |
| 0.9.4 | 18 / 8 | |
| 0.7.2 | 18 / 8 | |
| 0.7.1 | 18 / 8 | |
| 0.5.17 | 18 / 8 | |
| 0.5.9 | 17 / 8 | |
| 0.5.8 | 17 / 8 | |
| 0.5.7 | 17 / 8 | |
| 0.5.6 | 17 / 8 | |
| 0.5.5 | 17 / 8 | |
| 0.5.4 | 17 / 8 | |
| 0.5.3 | 17 / 8 | |
| 0.5.2 | 17 / 8 | |
| 0.4.8 | 16 / 8 | |
| 0.4.7 | 16 / 8 | |
| 0.4.6 | 16 / 8 | |
| 0.4.5 | 16 / 8 | |
| 0.4.4 | 16 / 8 | |
| 0.4.3 | 16 / 8 | |
| 0.4.2 | 16 / 8 | |
| 0.4.1 | 16 / 8 | |
| 0.4.0 | 16 / 8 | |
| 0.3.4 | 16 / 8 | |
| 0.3.3 | 16 / 8 | |
| 0.3.2 | 16 / 8 | |
| 0.3.1 | 16 / 8 | |
| 0.3.0 | 16 / 8 | |
| 0.2.9 | 16 / 8 | |
| 0.2.8 | 17 / 6 | |
| 0.2.7 | 17 / 6 | |
| 0.2.6 | 17 / 6 | |
| 0.2.5 | 18 / 6 | |
| 0.2.1 | 0 / 0 | |
| 0.2.0 | 0 / 0 |
v0.12.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.16
2 findingsThis version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.9.4
2 findingsThis version was published by a different npm account than previous versions on 2026-03-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.2
2 findingsThis version was published by a different npm account than previous versions on 2026-03-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
2 findingsThis version was published by a different npm account than previous versions on 2026-03-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.17
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.9
2 findingsThis version was published by a different npm account than previous versions on 2026-02-13. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.8
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.7
2 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.6
2 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.4
2 findingsThis version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.3
2 findingsThis version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.2
2 findingsThis version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.8
2 findingsThis version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.7
2 findingsThis version was published by a different npm account than previous versions on 2026-02-01. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.6
2 findingsThis version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.5
2 findingsThis version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.2
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.1
2 findingsThis version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.4.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.