@storm-software/pnpm-tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:prettier-plugin-pkg | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-esm-node-path | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| phantom-deps | phantom-dep:@pnpm/plugin-better-defaults | AI (phantom-deps): Config-file reference pattern; stable for this pnpm-tools package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README quality issues in a monorepo tooling package; not indicative of spam or malice. | ai | |
| phantom-deps | phantom-dep:@storm-software/config | AI (phantom-deps): Same-org transitive dep; phantom-dep heuristic unreliable for bundled monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool passing process.env to child_process.exec is standard; env is scoped and not exfiltrated. | ai | |
| phantom-deps | phantom-dep:@storm-software/npm-tools | AI (phantom-deps): Same-org dep; declared as runtime dependency and used transitively. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-packagejson | AI (phantom-deps): Referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@storm-software/package-constants | AI (phantom-deps): Same-org transitive dep; bundled in bin/pnpm.cjs. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): pnpm CLI wrapper legitimately uses child_process to run pnpm commands. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads only STORM_EXTENSION_* prefixed keys; scoped config pattern, not exfiltration. | ai |
Versions (showing 51 of 141)
| Version | Deps | Published |
|---|---|---|
| 0.7.72 | 11 / 3 | |
| 0.7.71 | 11 / 3 | |
| 0.7.70 | 11 / 3 | |
| 0.7.69 | 11 / 3 | |
| 0.7.68 | 11 / 3 | |
| 0.7.67 | 11 / 3 | |
| 0.7.66 | 11 / 3 | |
| 0.7.65 | 11 / 3 | |
| 0.7.64 | 11 / 3 | |
| 0.7.63 | 11 / 3 | |
| 0.7.62 | 11 / 3 | |
| 0.7.61 | 11 / 3 | |
| 0.7.60 | 11 / 3 | |
| 0.7.59 | 11 / 3 | |
| 0.7.58 | 11 / 3 | |
| 0.7.57 | 11 / 3 | |
| 0.7.56 | 11 / 3 | |
| 0.7.55 | 11 / 3 | |
| 0.7.54 | 11 / 3 | |
| 0.7.53 | 11 / 3 | |
| 0.7.52 | 11 / 3 | |
| 0.7.51 | 11 / 3 | |
| 0.7.50 | 11 / 3 | |
| 0.7.49 | 11 / 3 | |
| 0.7.48 | 11 / 3 | |
| 0.7.47 | 11 / 3 | |
| 0.7.46 | 11 / 3 | |
| 0.7.45 | 11 / 3 | |
| 0.7.44 | 11 / 3 | |
| 0.7.43 | 11 / 3 | |
| 0.7.42 | 11 / 3 | |
| 0.7.41 | 11 / 3 | |
| 0.7.40 | 11 / 3 | |
| 0.7.39 | 11 / 3 | |
| 0.7.38 | 11 / 3 | |
| 0.7.37 | 11 / 3 | |
| 0.7.36 | 11 / 3 | |
| 0.7.35 | 11 / 3 | |
| 0.7.34 | 11 / 3 | |
| 0.7.33 | 11 / 3 | |
| 0.7.32 | 11 / 3 | |
| 0.7.31 | 11 / 3 | |
| 0.7.30 | 11 / 3 | |
| 0.7.29 | 11 / 3 | |
| 0.7.28 | 11 / 3 | |
| 0.7.27 | 11 / 3 | |
| 0.7.26 | 11 / 3 | |
| 0.7.25 | 11 / 3 | |
| 0.7.24 | 11 / 3 | |
| 0.7.23 | 11 / 3 | |
| 0.7.21 | 11 / 3 |
v0.7.72
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.71
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.70
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.69
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.68
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.67
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.66
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.65
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.64
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.63
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.62
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.61
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.60
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.59
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.58
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.57
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.56
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.55
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.54
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.53
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.52
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.51
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.50
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.49
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.48
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.47
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.46
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.45
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.44
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.38
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.37
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
This version was published by a different npm account (stormie-bot) than the most recent previously approved version (GitHub Actions) on 2026-05-22, but stormie-bot is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.7.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.