@storm-software/tsdown
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; gitHead absence is a minor metadata gap, not a supply chain risk for this publisher. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from stormie-bot to GitHub Actions CI publisher; SLSA provenance attestation confirms legitimate CI/CD pipeline. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are first-party Storm Software monorepo packages; consistent with internal refactoring pattern across 459 versions. | ai | |
| phantom-deps | phantom-dep:rolldown | AI (phantom-deps): Declared runtime dep; bundler integration, stable false positive. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): Declared runtime dep; CLI binary uses commander, stable false positive. | ai | |
| phantom-deps | phantom-dep:tsup | AI (phantom-deps): Declared runtime dep in package.json; used via config/build toolchain, not direct import. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): Declared runtime dep; source map handling in build output, stable false positive. | ai | |
| phantom-deps | phantom-dep:@storm-software/config-tools | AI (phantom-deps): Same-org dep declared in dependencies; stable false positive for this package family. | ai | |
| phantom-deps | phantom-dep:es-toolkit | AI (phantom-deps): Declared runtime dep; utility library used in build toolchain. | ai | |
| phantom-deps | phantom-dep:globby | AI (phantom-deps): Declared runtime dep; used in config/build utilities, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): Declared runtime dep; used in watch/build toolchain, stable false positive. | ai |
Versions (showing 48 of 259)
| Version | Deps | Published |
|---|---|---|
| 0.35.4 | 11 / 9 | |
| 0.35.3 | 11 / 9 | |
| 0.35.2 | 11 / 9 | |
| 0.35.1 | 11 / 9 | |
| 0.35.0 | 11 / 9 | |
| 0.34.9 | 11 / 9 | |
| 0.34.8 | 11 / 9 | |
| 0.34.7 | 11 / 9 | |
| 0.34.6 | 11 / 9 | |
| 0.34.5 | 11 / 9 | |
| 0.34.4 | 11 / 9 | |
| 0.34.3 | 11 / 9 | |
| 0.34.2 | 11 / 9 | |
| 0.34.1 | 11 / 9 | |
| 0.34.0 | 11 / 9 | |
| 0.33.1 | 11 / 9 | |
| 0.33.0 | 11 / 9 | |
| 0.32.2 | 11 / 9 | |
| 0.32.1 | 11 / 9 | |
| 0.32.0 | 11 / 9 | |
| 0.31.1 | 11 / 9 | |
| 0.31.0 | 11 / 9 | |
| 0.30.1 | 11 / 9 | |
| 0.30.0 | 11 / 9 | |
| 0.29.5 | 11 / 9 | |
| 0.29.4 | 11 / 9 | |
| 0.28.25 | 8 / 9 | |
| 0.28.24 | 8 / 9 | |
| 0.28.23 | 8 / 9 | |
| 0.28.22 | 8 / 9 | |
| 0.28.21 | 8 / 9 | |
| 0.28.20 | 8 / 9 | |
| 0.28.19 | 8 / 9 | |
| 0.28.18 | 8 / 9 | |
| 0.28.17 | 8 / 9 | |
| 0.28.16 | 8 / 9 | |
| 0.28.15 | 8 / 9 | |
| 0.28.14 | 8 / 9 | |
| 0.28.13 | 8 / 9 | |
| 0.28.12 | 8 / 9 | |
| 0.28.11 | 8 / 9 | |
| 0.28.10 | 8 / 9 | |
| 0.28.9 | 8 / 9 | |
| 0.28.8 | 8 / 9 | |
| 0.28.7 | 8 / 9 | |
| 0.28.6 | 8 / 9 | |
| 0.28.5 | 8 / 9 | |
| 0.28.4 | 8 / 9 |
v0.35.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.35.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.35.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.32.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.31.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.31.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.30.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.30.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.29.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: stormie-bot.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.28.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.