@web-widget/shared-cache

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

aui

Keywords

cachehttp-cacheweb-cache-apifetchserver-sideshared-cacherfc-7234rfc-5861stale-while-revalidatestale-if-errornodedenobunwintercgredislrucache-controlvarytypescriptcross-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publisher is backed by SLSA provenance attestation; consistent with CI/CD automation of an established package.	ai	2026/06/09
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by CI-attested publish with no code changes; low-risk resumption of maintenance.	ai	2026/06/09
provenance	no-provenance	AI (provenance): Established package with consistent publishing history; lack of provenance is common and not a risk signal here.	ai	2026/05/27

Versions (showing 9 of 9)

Version	Deps	Published
1.8.0	2 / 22	2026-06-08
1.7.2	2 / 22	2025-08-05
1.7.1	2 / 22	2025-08-05
1.7.0	2 / 22	2025-06-30
1.6.0	2 / 22	2025-06-21
1.5.0	2 / 22	2025-06-20
1.4.0	2 / 22	2025-06-20
1.3.0	2 / 22	2025-06-08
1.2.0	2 / 22	2025-06-08

v1.8.0

2 findings

HIGH Publisher changed: aui → GitHub Actions (on 2026-06-08) provenance

This version was published by a different npm account than previous versions on 2026-06-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.