← Home

ember-estree

npm Repository
17
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nullvoxpopuli

Keywords

ASTcodemodemberestreeglimmertraversalwalker

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:decorator-transforms AI (phantom-deps): Referenced in config files; consistent with Ember decorator tooling. ai
phantom-deps phantom-dep:content-tag AI (phantom-deps): Referenced in config files; consistent with Ember gjs/gts tooling pattern. ai
phantom-deps phantom-dep:@glimmer/syntax AI (phantom-deps): Referenced in config files; consistent with Glimmer/Ember tooling. ai
phantom-deps phantom-dep:content-tag-utils AI (phantom-deps): Referenced in config files; consistent with Ember gjs/gts tooling. ai
npm-metadata suspicious-initial-version AI (npm-metadata): Publisher has strong track record; 0.0.0 reflects early-stage tooling, not throwaway malware. ai
bogus-package bogus-package AI (bogus-package): Legitimate early-stage Ember tooling from a trusted publisher; sparse metadata is expected at 0.0.0. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Framework-convention Babel dep; not directly imported but used via config. ai
phantom-deps phantom-dep:@babel/parser AI (phantom-deps): Framework-convention Babel dep; not directly imported but used via config. ai
phantom-deps phantom-dep:@babel/plugin-transform-typescript AI (phantom-deps): Framework-convention Babel plugin; loaded by convention. ai
dependencies unvetted-dep:content-tag-utils AI (dependencies): Legitimate Ember/Glimmer ecosystem dep for content-tag parsing; consistent with package purpose. ai
dependencies unvetted-dep:ember-template-recast AI (dependencies): Well-known Ember template transformation tool; consistent with package purpose. ai
phantom-deps phantom-dep:@glimmer/env AI (phantom-deps): @glimmer/env is a declared runtime dep used by @glimmer/syntax transitively; phantom-dep false positive for this package. ai

Versions (showing 17 of 17)

Version Deps Published
0.6.4 4 / 10
0.6.3 4 / 10
0.6.2 4 / 10
0.6.1 5 / 9
0.6.0 5 / 8
0.5.1 5 / 8
0.5.0 5 / 8
0.4.3 5 / 8
0.4.2 5 / 8
0.4.1 5 / 8
0.4.0 5 / 7
0.3.0 5 / 7
0.2.0 5 / 7
0.1.2 5 / 7
0.1.1 5 / 7
0.1.0 5 / 7
0.0.0 7 / 1

v0.6.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.5.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.