← Home

@sveltejs/kit

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

rich_harrissvelte-adminconduitry

Keywords

frameworkofficialsveltesveltekitvite

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
typosquat typosquat.levenshtein:koa AI (typosquat): Official @sveltejs scoped package; Levenshtein match to 'koa' is a false positive. ai
typosquat typosquat.levenshtein:vite AI (typosquat): Official @sveltejs scoped package; Levenshtein match to 'vite' is a false positive. ai
typosquat typosquat.levenshtein:got AI (typosquat): Official @sveltejs scoped package; Levenshtein match to 'got' is a false positive. ai
semgrep semgrep:env-spread AI (semgrep): process.env spread into Worker env is standard Node.js worker isolation pattern in SvelteKit's fork utility. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get used for legitimate response property access in load_data.js; not obfuscation. ai
phantom-deps phantom-dep:@types/cookie AI (phantom-deps): @types/cookie is a type-only dependency used for TypeScript declarations, not a runtime import. ai

Versions (showing 8 of 8)

Version Deps Published
2.61.1 12 / 13
2.61.0 12 / 13
2.60.1 12 / 12
2.60.0 12 / 12
2.59.1 12 / 12
2.59.0 12 / 12
2.58.0 12 / 12
2.57.1 12 / 12

v2.61.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.61.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.60.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.60.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.59.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.59.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.58.0

2 findings
HIGH env-spread: src/utils/fork.js:39 semgrep

Spreading entire process.env into an object — may capture all secrets 37 | return new Promise((fulfil, reject) => { 38 | const worker = new Worker(fileURLToPath(module), { > 39 | env: { 40 | ...process.env, 41 | SVELTEKIT_FORK: 'true'

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.57.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.