header-generator — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mtrunkatjancurnpetrpatekmnmkngjaroslavhejlekdrobnikjmetalwarrior665fnesvedab4nanjanbucharapify-service-account

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from apify-service-account to GitHub Actions CI is a documented Apify org migration; SLSA attestation confirms legitimate CI publish.	ai	2026/05/02
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy reflects CI/CD pipeline migration, not account takeover; SLSA provenance and consistent repo metadata confirm legitimacy.	ai	2026/05/02
dependencies	unvetted-dep:generative-bayesian-network	AI (dependencies): generative-bayesian-network is a sibling package in the same Apify fingerprint-suite monorepo; stable false positive for this package.	ai	2026/04/28

Versions (showing 15 of 15)

Version	Deps	Published
2.1.82	4 / 0	2026-04-01
2.1.81	4 / 0	2026-03-01
2.1.80	4 / 0	2026-02-03
2.1.79	4 / 0	2026-01-01
2.1.78	4 / 0	2025-12-01
2.1.77	4 / 0	2025-11-12
2.1.76	4 / 0	2025-11-01
2.1.75	4 / 0	2025-10-13
2.1.74	4 / 0	2025-10-01
2.1.73	4 / 0	2025-09-25
2.1.72	4 / 0	2025-09-03
2.1.70	4 / 0	2025-08-15
2.1.69	4 / 0	2025-07-01
2.1.68	4 / 0	2025-06-25
2.1.67	4 / 0	2025-06-17

v2.1.82

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.81

2 findings

HIGH Publisher changed: apify-service-account → GitHub Actions (on 2026-03-01) provenance

This version was published by a different npm account than previous versions on 2026-03-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.80

2 findings

HIGH Publisher changed: apify-service-account → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.79

2 findings

HIGH Publisher changed: apify-service-account → GitHub Actions (on 2026-01-01) provenance

This version was published by a different npm account than previous versions on 2026-01-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.78

2 findings

HIGH Publisher changed: apify-service-account → GitHub Actions (on 2025-12-01) provenance

This version was published by a different npm account than previous versions on 2025-12-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.1.77

2 findings

HIGH Publisher changed: apify-service-account → GitHub Actions (on 2025-11-12) provenance

This version was published by a different npm account than previous versions on 2025-11-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.