react-native-screens — Greenflagged

Native navigation primitives for your React Native app.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kkafarswm-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:react-native-gradle-plugin	AI (dependencies): react-native-gradle-plugin is a platform-specific Android build tool dependency; its use in react-native-screens is expected and benign for this package.	ai	2026/04/23
phantom-deps	phantom-dep:react-native-gradle-plugin	AI (phantom-deps): Declared but not directly imported because it is a platform-specific binary package for Android Gradle builds; this pattern is stable for react-native-screens.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): v3.28.0 added Reanimated integration (evidenced by reanimated/index paths in package.json), naturally producing many new source files. No obfuscation or malicious patterns indicated.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer tboba has clean history (115 approved, 0 rejected); legitimate transition for mature package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for established packages.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): react-freeze is a legitimate Software Mansion library intentionally added to react-native-screens for React 18 concurrent feature support; not a supply chain risk.	ai	2026/04/23
provenance	missing-githead	AI (provenance): Package transitioned to GitHub Actions CI publishing; missing gitHead is explained by the changed publish environment. SLSA provenance attestation provides stronger integrity assurance.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): react-native-screens uses this nightly versioning pattern (date + commit hash suffix) for automated nightly CI builds; not a malware indicator for this package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher transition from kacperkapusciak to tboba is legitimate; new publisher has strong track record.	ai	2026/04/22
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs git submodule update and yarn install—standard monorepo setup, not arbitrary code execution.	ai	2026/04/22
dependencies	unvetted-dep:react-freeze	AI (dependencies): react-freeze is a legitimate React Native ecosystem package; its use in react-native-screens for subtree freezing is expected and stable across versions.	ai	2026/04/22

Versions (showing 100 of 457)

Hide prereleases

Version	Deps	Published
2.14.0	0 / 36	2020-11-10
2.13.0	0 / 36	2020-11-04
2.12.0	0 / 34	2020-10-27
2.11.0	0 / 34	2020-09-16
2.10.1	0 / 34	2020-08-05
2.10.0	0 / 34	2020-08-05
2.9.0	0 / 31	2020-06-19
2.8.0	0 / 30	2020-05-22
2.7.0	0 / 30	2020-04-24
2.6.0	0 / 30	2020-04-23
2.5.0	1 / 29	2020-04-16
2.4.0	1 / 29	2020-03-20
2.3.0	1 / 29	2020-03-10
2.2.0	1 / 29	2020-02-27
2.1.0	1 / 29	2020-02-26
2.0.1	1 / 29	2020-02-26
2.0.0	1 / 29	2020-02-26
4.25.0-nightly-20260421-001ddea91	2 / 42	2026-04-21
4.25.0-nightly-20260420-8ca796a2f	2 / 42	2026-04-20
4.25.0-nightly-20260417-87923de04	2 / 42	2026-04-17
4.25.0-nightly-20260416-6febba1fc	2 / 42	2026-04-16
4.25.0-nightly-20260415-b9fafba3a	2 / 42	2026-04-15
4.25.0-nightly-20260414-33feebbb3	2 / 42	2026-04-14
4.25.0-nightly-20260413-8748b039c	2 / 42	2026-04-13
4.25.0-nightly-20260401-0636b922d	2 / 41	2026-04-01
4.25.0-nightly-20260331-0636b922d	2 / 41	2026-03-31
4.25.0-nightly-20260330-6cf26f6bf	2 / 41	2026-03-30
4.25.0-nightly-20260329-0c37478e1	2 / 41	2026-03-29
4.25.0-nightly-20260328-0c37478e1	2 / 41	2026-03-28
4.25.0-nightly-20260327-0c37478e1	2 / 41	2026-03-27
4.25.0-nightly-20260326-8fe76078f	2 / 41	2026-03-26
4.25.0-nightly-20260325-be64b6d9a	2 / 41	2026-03-25
4.25.0-nightly-20260324-8f47fa293	2 / 41	2026-03-24
4.25.0-nightly-20260323-2cc2243ba	2 / 41	2026-03-23
4.25.0-nightly-20260322-7334084cd	2 / 41	2026-03-22
4.25.0-nightly-20260321-7334084cd	2 / 41	2026-03-21
4.25.0-nightly-20260320-7334084cd	2 / 41	2026-03-20
4.25.0-nightly-20260319-7334084cd	2 / 41	2026-03-19
4.25.0-nightly-20260318-22fe56e79	2 / 41	2026-03-18
4.25.0-nightly-20260317-63b3baab6	2 / 41	2026-03-17
4.25.0-nightly-20260316-63b3baab6	2 / 41	2026-03-16
4.25.0-nightly-20260315-156d957d8	2 / 41	2026-03-15
4.25.0-nightly-20260314-156d957d8	2 / 41	2026-03-14
4.25.0-nightly-20260313-156d957d8	2 / 41	2026-03-13
4.25.0-nightly-20260312-4fc6f973b	2 / 41	2026-03-12
4.25.0-nightly-20260311-e6d763361	2 / 41	2026-03-11
4.25.0-nightly-20260310-40acc6141	2 / 41	2026-03-10
4.25.0-nightly-20260309-f59b9a29e	2 / 41	2026-03-09
4.25.0-nightly-20260308-41c7ab703	2 / 41	2026-03-08
4.25.0-nightly-20260307-41c7ab703	2 / 41	2026-03-07
4.25.0-nightly-20260306-41c7ab703	2 / 41	2026-03-06
4.25.0-nightly-20260305-41c7ab703	2 / 41	2026-03-05
4.25.0-nightly-20260304-4630ac13d	2 / 41	2026-03-04
4.25.0-nightly-20260303-8ebf0280e	2 / 41	2026-03-03
4.25.0-nightly-20260302-24757a340	2 / 41	2026-03-02
4.25.0-nightly-20260301-06b01be28	2 / 41	2026-03-01
4.25.0-nightly-20260228-06b01be28	2 / 41	2026-02-28
4.25.0-nightly-20260227-06b01be28	2 / 41	2026-02-27
4.25.0-nightly-20260226-418eb035f	2 / 41	2026-02-26
4.25.0-nightly-20260225-85a3c41d3	2 / 41	2026-02-25
4.25.0-nightly-20260224-1642c6d6d	2 / 41	2026-02-24
4.25.0-beta.1	2 / 42	2026-04-21
4.24.0-nightly-20260223-4b171b7de	2 / 41	2026-02-23
4.24.0-nightly-20260222-8ce74e4ee	2 / 41	2026-02-22
4.24.0-nightly-20260221-8ce74e4ee	2 / 41	2026-02-21
4.24.0-nightly-20260220-8ce74e4ee	2 / 41	2026-02-20
4.24.0-nightly-20260219-33eb2b58e	2 / 41	2026-02-19
4.24.0-nightly-20260218-7d4108662	2 / 41	2026-02-18
4.24.0-nightly-20260217-3d4529281	2 / 41	2026-02-17
4.24.0-nightly-20260216-9bfc35c6c	2 / 41	2026-02-16
4.24.0-nightly-20260215-469314f2b	2 / 41	2026-02-15
4.24.0-nightly-20260214-469314f2b	2 / 41	2026-02-14
4.24.0-nightly-20260213-469314f2b	2 / 41	2026-02-13
4.24.0-nightly-20260212-ba4827c38	2 / 41	2026-02-12
4.24.0-nightly-20260211-ba4827c38	2 / 41	2026-02-11
4.24.0-nightly-20260210-ba4827c38	2 / 41	2026-02-10
4.24.0-nightly-20260209-652ce079c	2 / 41	2026-02-09
4.24.0-nightly-20260208-652ce079c	2 / 41	2026-02-08
4.24.0-nightly-20260207-652ce079c	2 / 41	2026-02-07
4.24.0-nightly-20260206-652ce079c	2 / 41	2026-02-06
4.23.0-nightly-20260205-271111791	2 / 41	2026-02-05
4.23.0-nightly-20260204-c72539d59	2 / 41	2026-02-04
4.23.0-nightly-20260203-5a6f842df	2 / 41	2026-02-03
4.22.0-nightly-20260202-82ce103b5	2 / 41	2026-02-02
4.21.0-nightly-20260201-ba52d2f8d	2 / 41	2026-02-01
4.21.0-nightly-20260131-ba52d2f8d	2 / 41	2026-01-31
4.21.0-nightly-20260130-ba52d2f8d	2 / 41	2026-01-30
4.21.0-nightly-20260129-ce44512ff	2 / 41	2026-01-29
4.21.0-nightly-20260128-259a4881e	2 / 41	2026-01-28
4.21.0-nightly-20260127-7b89e5609	2 / 41	2026-01-27
4.21.0-nightly-20260126-7ec1b8964	2 / 41	2026-01-26
4.21.0-nightly-20260125-7ec1b8964	2 / 41	2026-01-25
4.21.0-nightly-20260124-7ec1b8964	2 / 41	2026-01-24
4.21.0-nightly-20260123-7ec1b8964	2 / 41	2026-01-23
4.21.0-nightly-20260122-7185f9f45	2 / 41	2026-01-22
4.21.0-nightly-20260121-24af933f7	2 / 41	2026-01-21
4.21.0-nightly-20260120-c3681a716	2 / 41	2026-01-20
4.21.0-nightly-20260119-35c7e069a	2 / 41	2026-01-19
4.20.0-nightly-20260118-bd7ee6eb3	2 / 41	2026-01-18
4.20.0-nightly-20260117-bd7ee6eb3	2 / 41	2026-01-17

Showing 100 of 457 Next page →

v2.13.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.11.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.25.0-nightly-20260421-001ddea91

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260420-8ca796a2f

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-20) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-20. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260417-87923de04

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260416-6febba1fc

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260415-b9fafba3a

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-15) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260414-33feebbb3

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-14) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-14. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260413-8748b039c

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260401-0636b922d

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-01) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260331-0636b922d

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-31) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-31. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260330-6cf26f6bf

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-30) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-30. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260329-0c37478e1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-29. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260328-0c37478e1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-28) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-28. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260327-0c37478e1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-27. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260326-8fe76078f

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260325-be64b6d9a

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260324-8f47fa293

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-24. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260323-2cc2243ba

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-23) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260322-7334084cd

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-22. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260321-7334084cd

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260320-7334084cd

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260319-7334084cd

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260318-22fe56e79

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260317-63b3baab6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260316-63b3baab6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260315-156d957d8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260314-156d957d8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260313-156d957d8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260312-4fc6f973b

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260311-e6d763361

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260310-40acc6141

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260309-f59b9a29e

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260308-41c7ab703

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260307-41c7ab703

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260306-41c7ab703

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0-nightly-20260305-41c7ab703

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.25.0-nightly-20260304-4630ac13d

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.25.0-nightly-20260303-8ebf0280e

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.25.0-nightly-20260302-24757a340

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.25.0-nightly-20260301-06b01be28

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-03-01) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-01. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260228-06b01be28

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-28) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-28. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260227-06b01be28

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260226-418eb035f

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-26. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260225-85a3c41d3

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-25) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-nightly-20260224-1642c6d6d

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.

v4.25.0-beta.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-04-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-21. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260223-4b171b7de

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-23) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260222-8ce74e4ee

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260221-8ce74e4ee

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260220-8ce74e4ee

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260219-33eb2b58e

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260218-7d4108662

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260217-3d4529281

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260216-9bfc35c6c

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.24.0-nightly-20260215-469314f2b

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.24.0-nightly-20260214-469314f2b

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.24.0-nightly-20260213-469314f2b

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.24.0-nightly-20260212-ba4827c38

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-12) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260211-ba4827c38

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-11) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260210-ba4827c38

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.24.0-nightly-20260209-652ce079c

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.24.0-nightly-20260208-652ce079c

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-08. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260207-652ce079c

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-07. This could indicate a legitimate maintainer transition or an account compromise.

v4.24.0-nightly-20260206-652ce079c

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-06) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-06. This could indicate a legitimate maintainer transition or an account compromise.

v4.23.0-nightly-20260205-271111791

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

v4.23.0-nightly-20260204-c72539d59

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.

v4.23.0-nightly-20260203-5a6f842df

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-02-03) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

v4.22.0-nightly-20260202-82ce103b5

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: t0maboro → GitHub Actions (on 2026-02-02) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260201-ba52d2f8d

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0-nightly-20260131-ba52d2f8d

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0-nightly-20260130-ba52d2f8d

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0-nightly-20260129-ce44512ff

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0-nightly-20260128-259a4881e

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.21.0-nightly-20260127-7b89e5609

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.21.0-nightly-20260126-7ec1b8964

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.21.0-nightly-20260125-7ec1b8964

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

v4.21.0-nightly-20260124-7ec1b8964

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-24. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260123-7ec1b8964

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-23) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-23. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260122-7185f9f45

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260121-24af933f7

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260120-c3681a716

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-20) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.

v4.21.0-nightly-20260119-35c7e069a

3 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Publisher changed: kkafar → GitHub Actions (on 2026-01-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.

v4.20.0-nightly-20260118-bd7ee6eb3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.20.0-nightly-20260117-bd7ee6eb3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.