supabase
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@vercel/detect-agent | AI (phantom-deps): Framework-scoped package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@napi-rs/keyring | AI (phantom-deps): Native keyring binding for credential storage in CLI. | ai | |
| phantom-deps | phantom-dep:@effect/atom-react | AI (phantom-deps): Effect ecosystem dep used transitively in the TUI layer. | ai | |
| phantom-deps | phantom-dep:@effect/platform-bun | AI (phantom-deps): Bun platform adapter for Effect; used at runtime. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance present; gitHead absence is a CI config change, not a security signal. | ai | |
| phantom-deps | phantom-dep:ink | AI (phantom-deps): Ink is a peer/transitive dep used by the TUI framework in this CLI monorepo. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): React is a peer dep of ink, required at runtime for the TUI. | ai | |
| phantom-deps | phantom-dep:effect | AI (phantom-deps): Effect is used transitively via @effect/* packages in this monorepo. | ai | |
| phantom-deps | phantom-dep:ink-spinner | AI (phantom-deps): Ink-spinner is a TUI component used in the CLI's ink-based UI. | ai | |
| phantom-deps | phantom-dep:posthog-node | AI (phantom-deps): Analytics dep referenced in config; stable for this CLI package. | ai | |
| phantom-deps | phantom-dep:@clack/prompts | AI (phantom-deps): CLI prompt library referenced in config; stable for this package. | ai | |
| phantom-deps | phantom-dep:@parcel/watcher | AI (phantom-deps): File watcher for dev mode; referenced in config files. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Supabase CLI uses automated CI/CD releases; rapid successive publishes are expected and backed by SLSA provenance. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Supabase CLI is published via GitHub Actions with SLSA/Sigstore provenance attestation, ruling out account takeover. Dormancy pattern is a false positive for this verified CI/CD-published package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Supabase CLI's postinstall fetches platform-specific prebuilt binaries — a documented, stable install pattern consistent with its declared dependencies (node-fetch, tar, bin-links, https-proxy-agent). | ai |
Versions (showing 44 of 145)
| Version | Deps | Published |
|---|---|---|
| 2.34.2 | 4 / 0 | |
| 2.34.0 | 4 / 0 | |
| 2.33.8 | 4 / 0 | |
| 2.33.5 | 4 / 0 | |
| 2.33.4 | 4 / 0 | |
| 2.33.3 | 4 / 0 | |
| 2.33.2 | 4 / 0 | |
| 2.33.1 | 4 / 0 | |
| 2.32.0 | 4 / 0 | |
| 2.31.7 | 4 / 0 | |
| 2.31.6 | 4 / 0 | |
| 2.31.5 | 4 / 0 | |
| 2.31.3 | 4 / 0 | |
| 2.31.1 | 4 / 0 | |
| 2.30.4 | 4 / 0 | |
| 2.30.3 | 4 / 0 | |
| 2.30.2 | 4 / 0 | |
| 2.30.0 | 4 / 0 | |
| 2.29.0 | 4 / 0 | |
| 2.28.0 | 4 / 0 | |
| 2.27.0 | 4 / 0 | |
| 2.26.9 | 4 / 0 | |
| 2.26.6 | 4 / 0 | |
| 2.26.5 | 4 / 0 | |
| 2.26.2 | 4 / 0 | |
| 2.26.1 | 4 / 0 | |
| 2.26.0 | 4 / 0 | |
| 2.25.0 | 4 / 0 | |
| 2.24.3 | 4 / 0 | |
| 2.24.0 | 4 / 0 | |
| 2.23.8 | 4 / 0 | |
| 2.23.7 | 4 / 0 | |
| 2.23.6 | 4 / 0 | |
| 2.23.4 | 4 / 0 | |
| 2.23.2 | 4 / 0 | |
| 2.23.1 | 4 / 0 | |
| 2.23.0 | 4 / 0 | |
| 2.22.16 | 4 / 0 | |
| 2.22.13 | 4 / 0 | |
| 2.22.12 | 4 / 0 | |
| 2.22.11 | 4 / 0 | |
| 2.22.10 | 4 / 0 | |
| 2.22.8 | 4 / 0 | |
| 2.22.7 | 4 / 0 |
v2.34.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.33.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.31.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.31.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.31.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.22.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.