@teambit/mover
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/cli | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/workspace | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.bit-map | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.consumer-component | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.modules.node-modules-linker | AI (dependencies): Sibling @teambit/* package from the same monorepo; unvetted status is a registry coverage gap, not a risk. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo component package; missing description is a cosmetic issue, not a malware signal. | ai | |
| provenance | no-provenance | AI (provenance): Established teambit/bit monorepo predates widespread provenance adoption; absence is expected. | ai |
Versions (showing 60 of 160)
| Version | Deps | Published |
|---|---|---|
| 1.0.811 | 12 / 4 | |
| 1.0.810 | 12 / 4 | |
| 1.0.808 | 12 / 4 | |
| 1.0.806 | 12 / 4 | |
| 1.0.805 | 12 / 4 | |
| 1.0.804 | 12 / 4 | |
| 1.0.803 | 12 / 4 | |
| 1.0.802 | 12 / 4 | |
| 1.0.801 | 12 / 4 | |
| 1.0.800 | 12 / 4 | |
| 1.0.799 | 12 / 4 | |
| 1.0.798 | 12 / 4 | |
| 1.0.797 | 12 / 4 | |
| 1.0.677 | 12 / 4 | |
| 1.0.675 | 12 / 4 | |
| 1.0.673 | 12 / 4 | |
| 1.0.672 | 12 / 4 | |
| 1.0.671 | 12 / 4 | |
| 1.0.670 | 12 / 4 | |
| 1.0.669 | 12 / 4 | |
| 1.0.668 | 12 / 4 | |
| 1.0.665 | 12 / 4 | |
| 1.0.663 | 12 / 4 | |
| 1.0.662 | 12 / 4 | |
| 1.0.661 | 12 / 4 | |
| 1.0.660 | 12 / 4 | |
| 1.0.659 | 12 / 4 | |
| 1.0.656 | 12 / 4 | |
| 1.0.655 | 12 / 4 | |
| 1.0.654 | 12 / 4 | |
| 1.0.652 | 12 / 4 | |
| 1.0.651 | 12 / 4 | |
| 1.0.650 | 12 / 4 | |
| 1.0.649 | 12 / 4 | |
| 1.0.648 | 12 / 4 | |
| 1.0.645 | 12 / 4 | |
| 1.0.644 | 12 / 4 | |
| 1.0.643 | 12 / 4 | |
| 1.0.642 | 12 / 4 | |
| 1.0.641 | 12 / 4 | |
| 1.0.640 | 12 / 4 | |
| 1.0.638 | 12 / 4 | |
| 1.0.637 | 12 / 4 | |
| 1.0.636 | 12 / 4 | |
| 1.0.635 | 12 / 4 | |
| 1.0.633 | 12 / 4 | |
| 1.0.631 | 12 / 4 | |
| 1.0.630 | 12 / 4 | |
| 1.0.628 | 12 / 4 | |
| 1.0.627 | 12 / 4 | |
| 1.0.625 | 12 / 4 | |
| 1.0.624 | 12 / 4 | |
| 1.0.623 | 12 / 4 | |
| 1.0.621 | 12 / 4 | |
| 1.0.618 | 12 / 4 | |
| 1.0.617 | 12 / 4 | |
| 1.0.616 | 12 / 4 | |
| 1.0.612 | 12 / 4 | |
| 1.0.611 | 12 / 4 | |
| 1.0.610 | 12 / 4 |
v1.0.811
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.810
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.808
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.806
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.805
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.804
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.803
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.802
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.801
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.800
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.799
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.798
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.797
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.677
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.675
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.673
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.672
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.671
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.670
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.669
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.668
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.665
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.663
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.662
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.661
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.660
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.659
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.656
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.655
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.654
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.652
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.651
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.650
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.649
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.648
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.645
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.644
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.643
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.642
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.641
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.640
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.638
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.637
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.636
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.635
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.633
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.631
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.630
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.628
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.627
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.625
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.624
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.623
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.621
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.618
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.617
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.616
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.612
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.611
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.610
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.