@storm-software/config-tools
4
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
stormie-botsullivanpj
Keywords
storm-softwarestormstorm-opssullivanpjmonorepoconfig
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed from stormie-bot to GitHub Actions with SLSA provenance attestation; this is a legitimate CI/CD pipeline transition for this monorepo package, not a compromise signal. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): This is a config-tools library; reading prefixed env vars (STORM_EXTENSION_*) is core functionality, not credential harvesting. Pattern is stable across versions. | ai | |
| phantom-deps | phantom-dep:jiti | AI (phantom-deps): jiti is declared as a runtime dep and used for dynamic config file loading — a standard pattern in config libraries. Not a security concern. | ai | |
| phantom-deps | phantom-dep:giget | AI (phantom-deps): giget is a declared dep used for config scaffolding; phantom detection reflects indirect/dynamic usage pattern typical of config tooling. | ai | |
| phantom-deps | phantom-dep:sqlite | AI (phantom-deps): sqlite declared as dep; phantom detection reflects indirect usage. No security concern for a config-tools package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): date-fns declared as dep; phantom detection reflects indirect/bundled usage. No security concern. | ai |
Versions (showing 4 of 416)
| Version | Deps | Published |
|---|---|---|
| 1.163.5 | 8 / 2 | |
| 1.163.4 | 8 / 2 | |
| 1.163.3 | 8 / 2 | |
| 1.162.18 | 8 / 2 |
v1.163.5
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.163.4
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.163.3
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.162.18
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.