v0.7.0 — provenance continuity
Added
Provenance continuity — a per-package trust baseline that catches what npm structurally cannot.
npm verifies provenance at publish time but does not enforce continuity between versions. A compromised account can publish a version with no attestation (from a stolen token) or from a different repository, and npm raises no alarm. This is the dominant 2026 attack pattern (Mastra, the dormant-account republishes).
Continuity learns a per-package baseline from the provenance identity of recent versions and blocks deviations:
- provenance-downgrade — recent versions were attested, this one is not (the fingerprint of an account-compromise publish).
- identity-discontinuity — this version is attested from a different source repository than the established baseline.
Learned per package, so packages that never adopted provenance have no baseline and the check stays silent — no false positives. Reads npm's attestation metadata, so it works without the optional sigstore package. Opt in via continuity.mode.
The attack replay (pnpm replay mastra) now demonstrates the provenance-downgrade verdict — the catch npm defaults cannot make.
Honest limit: does not catch an attack delivered through a legitimately-compromised CI workflow with valid provenance from the real repository (the Shai-Hulud class).
Full changelog: https://github.com/Mickdownunder/SafeInstall/blob/main/CHANGELOG.md