@teambit/variants
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Established teambit org package; maintainer removal reflects org housekeeping, not a takeover signal. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo component; description often omitted in workspace packages. | ai | |
| provenance | no-provenance | AI (provenance): Provenance adoption is sparse; not a signal for this established package. | ai | |
| dependencies | unvetted-dep:@teambit/legacy-bit-id | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/toolbox.path.path | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/cli | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/workspace.modules.match-pattern | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/legacy.extension-data | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/config | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai | |
| dependencies | unvetted-dep:@teambit/harmony | AI (dependencies): Internal @teambit ecosystem dependency; stable pattern across all teambit package versions. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 0.0.1595 | 9 / 4 | |
| 0.0.1594 | 9 / 4 | |
| 0.0.1593 | 9 / 4 | |
| 0.0.1592 | 9 / 4 | |
| 0.0.1591 | 9 / 4 | |
| 0.0.1590 | 9 / 4 | |
| 0.0.1589 | 9 / 4 | |
| 0.0.1588 | 9 / 4 | |
| 0.0.1587 | 9 / 4 | |
| 0.0.1586 | 9 / 4 | |
| 0.0.1584 | 9 / 4 | |
| 0.0.1583 | 9 / 4 | |
| 0.0.1582 | 9 / 4 | |
| 0.0.1581 | 9 / 4 | |
| 0.0.1579 | 9 / 4 | |
| 0.0.1577 | 9 / 4 | |
| 0.0.1575 | 9 / 4 | |
| 0.0.1553 | 9 / 4 | |
| 0.0.1552 | 9 / 4 | |
| 0.0.1551 | 9 / 4 | |
| 0.0.1486 | 9 / 4 | |
| 0.0.1482 | 9 / 4 | |
| 0.0.1480 | 9 / 4 | |
| 0.0.1478 | 9 / 4 | |
| 0.0.1476 | 9 / 4 | |
| 0.0.1473 | 9 / 4 | |
| 0.0.1472 | 9 / 4 | |
| 0.0.1471 | 9 / 4 | |
| 0.0.1469 | 9 / 4 | |
| 0.0.1466 | 9 / 4 | |
| 0.0.1464 | 9 / 4 | |
| 0.0.1463 | 9 / 4 | |
| 0.0.1462 | 9 / 4 | |
| 0.0.1461 | 9 / 4 | |
| 0.0.1459 | 9 / 4 | |
| 0.0.1458 | 9 / 4 | |
| 0.0.1457 | 9 / 4 | |
| 0.0.1456 | 9 / 4 | |
| 0.0.1455 | 9 / 4 | |
| 0.0.1454 | 9 / 4 |
v0.0.1595
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1594
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1593
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1592
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1591
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1590
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1589
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1587
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1586
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1584
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1583
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1582
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1581
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1579
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1577
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1575
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1553
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1552
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1551
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1486
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1482
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1480
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1478
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1476
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1473
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1472
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1471
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1469
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1466
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1464
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1463
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1462
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1461
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1459
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1458
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1457
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1456
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1455
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1454
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.