_upstream Issue Template
Package: <name>
Upstream Supply-Chain Evidence Request
Package: <name>
Version reviewed: <version>
Repository: <url>
AIWG tracking issue: <issue>
Summary
AIWG is reviewing third-party npm package provenance and lifecycle behavior for dependencies shipped in its package or used by maintainers. During review, we could not verify the following evidence:
- <signed release tag / trusted publishing attestation / lifecycle script rationale / private package source link>
Requested Clarification
Please confirm:
- the canonical source ref for npm version <version>;
- whether npm releases are produced by trusted publishing or a documented release workflow;
- whether release tags are signed, and how consumers should verify them;
- why any install-time or release-time lifecycle scripts are necessary.
Notes
This is a documentation/provenance request unless a concrete exploitability finding is attached. Human review is required before filing upstream.