@teambit/refactoring
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/bit-error | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.utils | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| dependencies | unvetted-dep:@teambit/component.sources | AI (dependencies): Internal teambit monorepo dependency; stable pattern across all versions. | ai | |
| provenance | no-provenance | AI (provenance): Teambit publishes many packages without provenance; consistent across the ecosystem. | ai | |
| phantom-deps | phantom-dep:@teambit/component.sources | AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for monorepo packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established teambit monorepo package; missing description is a cosmetic issue, not a malware indicator. | ai |
Versions (showing 31 of 231)
| Version | Deps | Published |
|---|---|---|
| 1.0.660 | 13 / 3 | |
| 1.0.659 | 13 / 3 | |
| 1.0.657 | 13 / 3 | |
| 1.0.656 | 13 / 3 | |
| 1.0.655 | 13 / 3 | |
| 1.0.653 | 13 / 3 | |
| 1.0.651 | 13 / 3 | |
| 1.0.650 | 13 / 3 | |
| 1.0.649 | 13 / 3 | |
| 1.0.646 | 13 / 3 | |
| 1.0.644 | 13 / 3 | |
| 1.0.643 | 13 / 3 | |
| 1.0.642 | 13 / 3 | |
| 1.0.640 | 13 / 3 | |
| 1.0.639 | 13 / 3 | |
| 1.0.637 | 13 / 3 | |
| 1.0.635 | 13 / 3 | |
| 1.0.634 | 13 / 3 | |
| 1.0.633 | 13 / 3 | |
| 1.0.631 | 13 / 3 | |
| 1.0.630 | 13 / 3 | |
| 1.0.629 | 13 / 3 | |
| 1.0.628 | 13 / 3 | |
| 1.0.626 | 13 / 3 | |
| 1.0.624 | 13 / 3 | |
| 1.0.622 | 13 / 3 | |
| 1.0.621 | 13 / 3 | |
| 1.0.619 | 13 / 3 | |
| 1.0.617 | 13 / 3 | |
| 1.0.615 | 13 / 3 | |
| 1.0.610 | 13 / 3 |
v1.0.660
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.659
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.657
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.656
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.655
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.653
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.651
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.650
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.649
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.646
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.644
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.643
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.642
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.640
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.639
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.637
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.635
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.634
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.633
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.631
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.630
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.629
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.628
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.626
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.624
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.622
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.621
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.619
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.617
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.615
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.610
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.