turbo-windows-arm64 — Greenflagged

The windows-arm64 binary for turbo, a monorepo build system.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jaredpalmervercel-release-botturbobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	bundled-binaries	AI (npm-metadata): This package exists solely to distribute the prebuilt Turbo CLI binary for windows-arm64. Bundled binary is its core purpose.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Publisher turbobot has a strong track record (2075 approved, 0 rejected). Lack of provenance is common and not concerning here.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Platform-specific binary sub-package; no deps, tiny payload, and sparse README are all expected for this distribution pattern. 665 versions and 600k weekly downloads confirm legitimacy.	ai	2026/04/23

Versions (showing 100 of 360)

Hide prereleases

Version	Deps	Published
1.10.5	0 / 0	2023-06-22
1.10.4	0 / 0	2023-06-21
1.10.3	0 / 0	2023-06-09
1.10.2	0 / 0	2023-06-06
1.10.1	0 / 0	2023-05-31
1.10.0	0 / 0	2023-05-30
1.9.9	0 / 0	2023-05-23
1.9.8	0 / 0	2023-05-18
1.9.7	0 / 0	2023-05-17
1.9.6	0 / 0	2023-05-16
1.9.5	0 / 0	2023-05-15
1.9.4	0 / 0	2023-05-11
1.9.3	0 / 0	2023-04-17
1.9.2	0 / 0	2023-04-17
1.9.1	0 / 0	2023-04-12
1.9.0	0 / 0	2023-04-11
1.8.8	0 / 0	2023-03-29
1.8.7	0 / 0	2023-03-29
1.8.6	0 / 0	2023-03-27
1.8.5	0 / 0	2023-03-21
1.8.4	0 / 0	2023-03-20
1.8.3	0 / 0	2023-02-27
1.8.2	0 / 0	2023-02-22
1.8.1	0 / 0	2023-02-17
1.8.0	0 / 0	2023-02-17
1.7.4	0 / 0	2023-02-08
1.7.3	0 / 0	2023-02-03
1.7.2	0 / 0	2023-02-01
1.7.1	0 / 0	2023-01-31
1.7.0	0 / 0	2023-01-10
1.6.3	0 / 0	2022-11-01
1.6.2	0 / 0	2022-10-28
1.6.1	0 / 0	2022-10-21
1.6.0	0 / 0	2022-10-21
1.5.6	0 / 0	2022-10-10
1.5.5	0 / 0	2022-09-29
1.5.4	0 / 0	2022-09-27
1.5.3	0 / 0	2022-09-23
1.5.2	0 / 0	2022-09-23
1.5.1	0 / 0	2022-09-21
1.5.0	0 / 0	2022-09-21
1.4.7	0 / 0	2022-09-16
1.4.6	0 / 0	2022-09-08
1.4.5	0 / 0	2022-09-02
1.4.4	0 / 0	2022-09-01
1.4.3	0 / 0	2022-08-09
1.4.2	0 / 0	2022-08-01
1.4.1	0 / 0	2022-08-01
1.4.0	0 / 0	2022-07-29
1.3.4	0 / 0	2022-07-21
1.3.3	0 / 0	2022-07-20
1.3.2	0 / 0	2022-07-20
1.3.1	0 / 0	2022-06-23
1.3.0	0 / 0	2022-06-23
1.2.16	0 / 0	2022-06-02
1.2.15	0 / 0	2022-06-02
1.2.14	0 / 0	2022-05-25
1.2.13	0 / 0	2022-05-25
1.2.12	0 / 0	2022-05-24
1.2.11	0 / 0	2022-05-22
1.2.10	0 / 0	2022-05-22
1.2.9	0 / 0	2022-05-11
1.2.8	0 / 0	2022-05-05
1.2.7	0 / 0	2022-05-05
1.2.6	0 / 0	2022-04-29
2.8.18-canary.2	0 / 0	2026-03-13
2.8.18-canary.1	0 / 0	2026-03-13
2.8.17-canary.9	0 / 0	2026-03-12
2.8.17-canary.8	0 / 0	2026-03-12
2.8.17-canary.7	0 / 0	2026-03-12
2.8.17-canary.6	0 / 0	2026-03-12
2.8.17-canary.5	0 / 0	2026-03-12
2.8.17-canary.4	0 / 0	2026-03-11
2.8.17-canary.3	0 / 0	2026-03-11
2.8.17-canary.2	0 / 0	2026-03-11
2.8.17-canary.16	0 / 0	2026-03-13
2.8.17-canary.15	0 / 0	2026-03-13
2.8.17-canary.14	0 / 0	2026-03-13
2.8.17-canary.13	0 / 0	2026-03-12
2.8.17-canary.12	0 / 0	2026-03-12
2.8.17-canary.11	0 / 0	2026-03-12
2.8.17-canary.10	0 / 0	2026-03-12
2.8.17-canary.1	0 / 0	2026-03-11
2.8.16-canary.1	0 / 0	2026-03-10
2.8.15-canary.9	0 / 0	2026-03-08
2.8.15-canary.8	0 / 0	2026-03-08
2.8.15-canary.7	0 / 0	2026-03-08
2.8.15-canary.6	0 / 0	2026-03-07
2.8.15-canary.5	0 / 0	2026-03-07
2.8.15-canary.4	0 / 0	2026-03-07
2.8.15-canary.3	0 / 0	2026-03-06
2.8.15-canary.2	0 / 0	2026-03-06
2.8.15-canary.14	0 / 0	2026-03-09
2.8.15-canary.13	0 / 0	2026-03-09
2.8.15-canary.12	0 / 0	2026-03-09
2.8.15-canary.11	0 / 0	2026-03-09
2.8.15-canary.10	0 / 0	2026-03-09
2.8.15-canary.1	0 / 0	2026-03-06
2.8.14-canary.9	0 / 0	2026-03-06
2.8.14-canary.8	0 / 0	2026-03-05

Showing 100 of 360 Next page →

v1.10.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.10.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.6

2 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • turbo-windows-arm64/bin/go-turbo.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.16

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.12

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.