contentful-management — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

hungryblankcf-admincontentful-ecosystemphbschmidt

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): postinstall runs patch-package, a standard dev tool for patching dependencies. This is a legitimate, well-known pattern used by the official Contentful SDK and poses no security risk.	ai	2026/04/24
phantom-deps	phantom-dep:@types/json-patch	AI (phantom-deps): @types/json-patch is a TypeScript type declaration package; it's normal to declare it as a dependency without direct imports since types are consumed at compile time.	ai	2026/04/24
phantom-deps	phantom-dep:lodash.isplainobject	AI (phantom-deps): lodash.isplainobject is a well-known utility bundled via webpack; phantom-dep finding is a stable false positive for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Package migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation; publisher change from contentful-ecosystem to GitHub Actions is the expected outcome of this legitimate automation migration.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established Contentful SDK package with 732 versions; lack of Sigstore provenance is common and not a risk signal for this well-known publisher.	ai	2026/04/24
dependencies	unvetted-dep:contentful-sdk-core	AI (dependencies): contentful-sdk-core is a first-party Contentful package; expected dependency for this SDK across all versions.	ai	2026/04/24
dependencies	unvetted-dep:@contentful/rich-text-types	AI (dependencies): @contentful/rich-text-types is a first-party Contentful package; expected dependency for this SDK across all versions.	ai	2026/04/24
phantom-deps	phantom-dep:process	AI (phantom-deps): process is a Node.js polyfill for browser bundle compatibility via rollup-plugin-polyfill-node; standard pattern for isomorphic SDKs.	ai	2026/04/24
phantom-deps	phantom-dep:globals	AI (phantom-deps): globals is used as a browser polyfill in the rollup bundle for this isomorphic SDK; not directly imported in source but legitimately declared as a runtime dep.	ai	2026/04/24

Versions (showing 51 of 192)

View all versions

Version	Deps	Published
12.5.0	6 / 38	2026-05-11
12.4.0	6 / 38	2026-05-11
12.3.3	6 / 38	2026-05-08
12.3.2	6 / 38	2026-04-24
12.3.1	6 / 38	2026-04-14
12.3.0	6 / 38	2026-04-10
12.2.0	6 / 38	2026-03-31
12.1.0	6 / 38	2026-03-30
12.0.0	6 / 38	2026-03-26
11.76.0	5 / 47	2026-04-21
11.75.0	5 / 47	2026-03-23
11.74.0	5 / 47	2026-03-05
11.73.1	5 / 47	2026-03-02
11.73.0	5 / 47	2026-02-26
11.72.2	5 / 47	2026-02-25
11.72.1	5 / 47	2026-02-23
11.72.0	5 / 47	2026-02-20
11.71.0	5 / 47	2026-02-19
11.70.0	5 / 47	2026-02-18
11.69.3	5 / 47	2026-02-18
11.69.2	5 / 47	2026-02-11
11.69.1	5 / 47	2026-02-05
11.69.0	5 / 47	2026-02-05
11.68.1	5 / 47	2026-01-28
11.68.0	5 / 47	2026-01-20
11.67.2	5 / 47	2026-01-13
11.67.1	5 / 47	2026-01-12
11.67.0	5 / 47	2026-01-02
11.66.0	5 / 47	2025-12-12
11.65.0	5 / 47	2025-12-10
11.64.0	5 / 47	2025-12-09
11.63.1	5 / 47	2025-11-13
11.63.0	5 / 47	2025-11-11
11.62.1	5 / 47	2025-11-05
11.62.0	5 / 47	2025-10-30
11.61.1	5 / 47	2025-10-28
11.61.0	5 / 47	2025-10-23
11.60.4	5 / 47	2025-10-02
11.60.3	5 / 47	2025-09-30
11.60.2	5 / 47	2025-09-29
11.60.1	5 / 47	2025-09-26
11.60.0	5 / 47	2025-09-24
11.59.0	5 / 47	2025-09-24
11.58.1	5 / 47	2025-09-23
11.58.0	5 / 47	2025-09-18
11.57.4	5 / 47	2025-09-16
11.57.3	5 / 47	2025-09-15
11.57.2	5 / 47	2025-09-15
11.57.1	5 / 47	2025-09-12
11.57.0	5 / 47	2025-09-11
11.56.0	5 / 47	2025-09-10