skuba
SEEK development toolkit for backend applications and packages
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@ast-grep/lang-yaml | AI (dependencies): Official ast-grep language binding; consistent with skuba's linting/formatting toolchain use case. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-packagejson | AI (phantom-deps): Prettier plugin loaded via config; not directly imported in source. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-istanbul | AI (phantom-deps): Framework-scoped vitest coverage provider; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@vitest/coverage-v8 | AI (phantom-deps): Framework-scoped vitest coverage provider; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@vitest/utils | AI (phantom-deps): Framework-scoped vitest utility; loaded by vitest convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:@vitest/ui | AI (phantom-deps): Framework-scoped vitest plugin; loaded by vitest convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): CLI tool; tsx is a runtime peer/plugin dep loaded by convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:rolldown | AI (phantom-deps): CLI tool; rolldown is a build-tool peer dep loaded by convention. | ai | |
| phantom-deps | phantom-dep:publint | AI (phantom-deps): publint is a build/lint tool used via config/CLI, not direct import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@arethetypeswrong/core | AI (phantom-deps): Type-checking tool invoked via config, not direct import; stable false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large toolkit with frequent feature additions; 22 new files consistent with major version bump from v14 to v15. | ai | |
| dependencies | unvetted-dep:golden-fleece | AI (dependencies): Small utility dep consistent with skuba's toolchain role; stable across versions. | ai | |
| dependencies | unvetted-dep:tsconfig-seek | AI (dependencies): SEEK-internal tsconfig utility; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:function-arguments | AI (dependencies): Small utility; consistent with skuba's toolchain role. | ai | |
| dependencies | unvetted-dep:@octokit/graphql-schema | AI (dependencies): GitHub API schema dep; expected for a CI/CD toolchain like skuba. | ai | |
| dependencies | unvetted-dep:@esbuild-plugins/tsconfig-paths | AI (dependencies): esbuild plugin for tsconfig paths; consistent with skuba's build toolchain role. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance attestation confirms CI/CD publish; established package with 535 versions and no code-level red flags. | ai | |
| phantom-deps | phantom-dep:@types/jest | AI (phantom-deps): Framework-scoped type package loaded by convention in a TypeScript toolchain; stable false positive for skuba. | ai | |
| phantom-deps | phantom-dep:@octokit/rest | AI (phantom-deps): Referenced in config/type files as part of skuba's GitHub integration; stable false positive. | ai | |
| phantom-deps | phantom-dep:ts-dedent | AI (phantom-deps): Referenced in config/template files rather than direct imports; stable false positive for skuba's template system. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive for a Node.js toolchain package. | ai | |
| phantom-deps | phantom-dep:@octokit/graphql-schema | AI (phantom-deps): Referenced in config files as part of skuba's GitHub integration; stable false positive. | ai | |
| phantom-deps | phantom-dep:@octokit/graphql | AI (phantom-deps): Referenced in config files as part of skuba's GitHub integration; stable false positive. | ai | |
| phantom-deps | phantom-dep:@octokit/types | AI (phantom-deps): Type-only package referenced in config files; stable false positive for skuba's GitHub integration. | ai | |
| phantom-deps | phantom-dep:tsconfig-seek | AI (phantom-deps): Build utility referenced in config files; stable false positive for skuba's TypeScript toolchain. | ai | |
| phantom-deps | phantom-dep:jest | AI (phantom-deps): skuba is a toolchain that exposes jest as a managed dependency for downstream consumers; phantom detection is expected for this package's design. | ai | |
| phantom-deps | phantom-dep:semantic-release | AI (phantom-deps): skuba orchestrates semantic-release for downstream consumers; phantom detection is expected for this toolchain package. | ai | |
| phantom-deps | phantom-dep:ts-node | AI (phantom-deps): skuba manages ts-node for downstream consumers; phantom detection is expected for this toolchain package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in skuba's CLI loads user-provided template config files at known paths — standard scaffolding tool pattern, not arbitrary code execution. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 16.0.8 | 55 / 28 | |
| 16.0.7 | 55 / 28 | |
| 16.0.6 | 55 / 28 | |
| 16.0.5 | 55 / 28 | |
| 16.0.4 | 55 / 28 | |
| 16.0.3 | 55 / 28 | |
| 16.0.2 | 55 / 28 | |
| 16.0.1 | 55 / 28 | |
| 16.0.0 | 55 / 28 | |
| 15.3.0 | 54 / 31 | |
| 15.2.0 | 54 / 31 | |
| 15.1.0 | 53 / 31 | |
| 15.0.1 | 52 / 29 | |
| 15.0.0 | 52 / 29 | |
| 14.1.1 | 49 / 28 | |
| 14.1.0 | 49 / 28 | |
| 14.0.1 | 49 / 28 | |
| 14.0.0 | 49 / 28 | |
| 13.1.1 | 47 / 28 | |
| 13.1.0 | 47 / 28 |
v16.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v15.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.