contentful-management
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): postinstall runs patch-package, a standard dev tool for patching dependencies. This is a legitimate, well-known pattern used by the official Contentful SDK and poses no security risk. | ai | |
| phantom-deps | phantom-dep:@types/json-patch | AI (phantom-deps): @types/json-patch is a TypeScript type declaration package; it's normal to declare it as a dependency without direct imports since types are consumed at compile time. | ai | |
| phantom-deps | phantom-dep:lodash.isplainobject | AI (phantom-deps): lodash.isplainobject is a well-known utility bundled via webpack; phantom-dep finding is a stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Package migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation; publisher change from contentful-ecosystem to GitHub Actions is the expected outcome of this legitimate automation migration. | ai | |
| provenance | no-provenance | AI (provenance): Established Contentful SDK package with 732 versions; lack of Sigstore provenance is common and not a risk signal for this well-known publisher. | ai | |
| dependencies | unvetted-dep:contentful-sdk-core | AI (dependencies): contentful-sdk-core is a first-party Contentful package; expected dependency for this SDK across all versions. | ai | |
| dependencies | unvetted-dep:@contentful/rich-text-types | AI (dependencies): @contentful/rich-text-types is a first-party Contentful package; expected dependency for this SDK across all versions. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): process is a Node.js polyfill for browser bundle compatibility via rollup-plugin-polyfill-node; standard pattern for isomorphic SDKs. | ai | |
| phantom-deps | phantom-dep:globals | AI (phantom-deps): globals is used as a browser polyfill in the rollup bundle for this isomorphic SDK; not directly imported in source but legitimately declared as a runtime dep. | ai |
Versions (showing 92 of 192)
| Version | Deps | Published |
|---|---|---|
| 11.32.0 | 4 / 69 | |
| 11.31.9 | 4 / 69 | |
| 11.31.8 | 4 / 69 | |
| 11.31.7 | 4 / 69 | |
| 11.31.6 | 4 / 69 | |
| 11.31.5 | 4 / 70 | |
| 11.31.4 | 4 / 69 | |
| 11.31.3 | 4 / 69 | |
| 11.31.2 | 4 / 69 | |
| 11.31.1 | 4 / 69 | |
| 11.31.0 | 4 / 69 | |
| 11.30.2 | 4 / 69 | |
| 11.30.1 | 4 / 69 | |
| 11.30.0 | 4 / 69 | |
| 11.29.1 | 7 / 70 | |
| 11.29.0 | 7 / 70 | |
| 11.28.0 | 7 / 70 | |
| 11.27.6 | 7 / 70 | |
| 11.27.5 | 7 / 70 | |
| 11.27.4 | 7 / 70 | |
| 11.27.3 | 7 / 70 | |
| 11.27.2 | 7 / 70 | |
| 11.27.1 | 7 / 70 | |
| 11.27.0 | 7 / 70 | |
| 11.26.2 | 7 / 70 | |
| 11.26.1 | 7 / 70 | |
| 11.26.0 | 7 / 70 | |
| 11.25.6 | 7 / 70 | |
| 11.25.5 | 7 / 70 | |
| 11.25.4 | 7 / 70 | |
| 11.25.3 | 7 / 70 | |
| 11.25.2 | 7 / 70 | |
| 11.25.1 | 7 / 70 | |
| 11.25.0 | 7 / 70 | |
| 11.24.5 | 7 / 70 | |
| 11.24.4 | 7 / 70 | |
| 11.24.3 | 7 / 70 | |
| 11.24.2 | 7 / 70 | |
| 11.24.1 | 7 / 70 | |
| 11.24.0 | 7 / 70 | |
| 11.23.1 | 7 / 70 | |
| 11.23.0 | 7 / 70 | |
| 11.22.0 | 7 / 70 | |
| 11.21.1 | 7 / 70 | |
| 11.21.0 | 7 / 70 | |
| 11.20.1 | 7 / 69 | |
| 11.20.0 | 7 / 69 | |
| 11.19.1 | 7 / 69 | |
| 11.19.0 | 7 / 69 | |
| 11.18.0 | 7 / 69 | |
| 11.17.0 | 7 / 69 | |
| 11.16.0 | 7 / 69 | |
| 11.15.0 | 7 / 69 | |
| 11.14.4 | 7 / 69 | |
| 11.14.3 | 7 / 69 | |
| 11.14.2 | 7 / 69 | |
| 11.14.1 | 7 / 69 | |
| 11.14.0 | 7 / 69 | |
| 11.13.3 | 7 / 69 | |
| 11.13.2 | 7 / 69 | |
| 11.13.1 | 7 / 69 | |
| 11.13.0 | 7 / 69 | |
| 11.12.2 | 7 / 69 | |
| 11.12.1 | 7 / 69 | |
| 11.12.0 | 7 / 69 | |
| 11.11.0 | 7 / 69 | |
| 11.10.0 | 7 / 69 | |
| 11.9.0 | 7 / 69 | |
| 11.8.1 | 7 / 69 | |
| 11.8.0 | 7 / 69 | |
| 11.7.3 | 7 / 69 | |
| 11.7.2 | 7 / 69 | |
| 11.7.1 | 7 / 69 | |
| 11.7.0 | 7 / 69 | |
| 11.6.1 | 7 / 69 | |
| 11.6.0 | 7 / 69 | |
| 11.5.8 | 7 / 69 | |
| 11.5.7 | 7 / 69 | |
| 11.5.6 | 7 / 69 | |
| 11.5.5 | 7 / 69 | |
| 11.5.4 | 7 / 69 | |
| 11.5.3 | 7 / 69 | |
| 11.5.2 | 7 / 69 | |
| 11.5.1 | 7 / 69 | |
| 11.5.0 | 7 / 69 | |
| 11.4.0 | 7 / 69 | |
| 11.3.0 | 7 / 69 | |
| 11.2.0 | 7 / 69 | |
| 11.1.1 | 7 / 69 | |
| 11.1.0 | 7 / 69 | |
| 11.0.1 | 7 / 69 | |
| 11.0.0 | 7 / 69 |
v11.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.5
2 findingsScript: patch-package
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.30.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.29.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.26.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.26.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.21.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.