@affinda/wc

Supply chain provenance

Status for the latest visible version.

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@affinda/illustrations	AI (dependencies): Same @affinda org scope as this package; internal sibling dependency, not a third-party risk.	ai	2026/04/26
dependencies	unvetted-dep:@affinda/css	AI (dependencies): Same @affinda org scope as this package; internal sibling dependency, not a third-party risk.	ai	2026/04/26
dependencies	unvetted-dep:@affinda/icons	AI (dependencies): Same @affinda org scope as this package; internal sibling dependency, not a third-party risk.	ai	2026/04/26
dependencies	unvetted-dep:@affinda/tokens	AI (dependencies): Same @affinda org scope as this package; internal sibling dependency, not a third-party risk.	ai	2026/04/26
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package @affinda/wc cannot be a typosquat of 'pg'; the @affinda org scope makes impersonation implausible. False positive.	ai	2026/04/25
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped package @affinda/wc cannot be a typosquat of 'qs'; the @affinda org scope makes impersonation implausible. False positive.	ai	2026/04/25
phantom-deps	phantom-dep:@affinda/css	AI (phantom-deps): Same-org dependency used indirectly via Stencil build pipeline; phantom-dep detection is unreliable for bundled web component libraries.	ai	2026/04/25
phantom-deps	phantom-dep:@affinda/tokens	AI (phantom-deps): Same-org dependency used indirectly via Stencil build pipeline; phantom-dep detection is unreliable for bundled web component libraries.	ai	2026/04/25

Version	Deps	Published