@types/chai-subset — Greenflagged

TypeScript definitions for chai-subset

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

types

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
email-domain	unclaimed-email:https://github.com/delta62/	AI (email-domain): GitHub URL used as author contact, not a real email domain; stable FP for @types packages.	ai	2026/05/30
dependencies	unvetted-dep:@types/chai	AI (dependencies): @types/chai is a well-known DefinitelyTyped package; its use as a dependency in @types/chai-subset is expected and stable across all versions.	ai	2026/04/24
phantom-deps	phantom-dep:@types/chai	AI (phantom-deps): @types/chai is a type-level peer dependency loaded by TypeScript convention, not via direct import. This pattern is standard for all DefinitelyTyped packages.	ai	2026/04/24
provenance	no-provenance	AI (provenance): DefinitelyTyped/@types packages are published via an automated pipeline that does not currently emit Sigstore provenance. This is a known ecosystem gap, not a risk indicator.	ai	2026/04/24

Versions (showing 9 of 9)

Version	Deps	Published
1.3.6	0 / 0	2025-03-05
1.3.5	1 / 0	2023-11-07
1.3.4	1 / 0	2023-10-17
1.3.3	1 / 0	2019-08-08
1.3.2	1 / 0	2019-02-13
1.3.1	1 / 0	2017-08-21
1.3.0	1 / 0	2017-01-02
1.0.29	1 / 0	2016-09-19
1.0.28	1 / 0	2016-07-14

v1.3.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.