@amcharts/amcharts5
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/svg-arc-to-cubic-bezier | AI (phantom-deps): Type definitions for SVG utility; conventionally loaded for charting rendering. | ai | |
| phantom-deps | phantom-dep:@types/d3 | AI (phantom-deps): TypeScript type definitions for D3 are conventionally loaded in charting libraries; expected for amcharts5. | ai | |
| phantom-deps | phantom-dep:@types/geojson | AI (phantom-deps): GeoJSON types are conventionally loaded for geographic charting features; expected pattern. | ai | |
| phantom-deps | phantom-dep:@types/d3-chord | AI (phantom-deps): D3 submodule types loaded by convention for charting library; stable pattern. | ai | |
| phantom-deps | phantom-dep:@types/d3-shape | AI (phantom-deps): D3 submodule types loaded by convention for charting library; stable pattern. | ai | |
| phantom-deps | phantom-dep:@types/d3-sankey | AI (phantom-deps): D3 submodule types loaded by convention for charting library; stable pattern. | ai | |
| phantom-deps | phantom-dep:@types/polylabel | AI (phantom-deps): Type definitions for polygon labeling utility; conventionally loaded for charting features. | ai | |
| phantom-deps | phantom-dep:@types/d3-hierarchy | AI (phantom-deps): D3 submodule types loaded by convention for charting library; stable pattern. | ai | |
| dependencies | unvetted-dep:flatpickr | AI (dependencies): flatpickr is a well-known date picker library; expected dependency for a charting library with date input features. | ai | |
| dependencies | unvetted-dep:markerjs2 | AI (dependencies): markerjs2 is a legitimate annotation library; used by amcharts5 for optional image annotation features. | ai | |
| dependencies | unvetted-dep:polylabel | AI (dependencies): polylabel is a well-known Mapbox library for polygon label placement; expected in a charting/mapping library. | ai | |
| dependencies | unvetted-dep:d3-voronoi-treemap | AI (dependencies): d3-voronoi-treemap is a legitimate D3 extension for voronoi treemap charts; expected in a feature-rich charting library. | ai | |
| dependencies | unvetted-dep:svg-arc-to-cubic-bezier | AI (dependencies): svg-arc-to-cubic-bezier is a well-known SVG utility; expected in a charting library that renders SVG graphics. | ai | |
| phantom-deps | phantom-dep:pdfmake | AI (phantom-deps): pdfmake is an optional export dependency for amcharts5; referenced in config but loaded conditionally by users. | ai | |
| phantom-deps | phantom-dep:markerjs2 | AI (phantom-deps): markerjs2 is an optional annotation feature dependency; phantom pattern is expected for optional integrations. | ai | |
| provenance | no-provenance | AI (provenance): amcharts5 is a long-established commercial library (1717 days, 248 versions); lack of Sigstore provenance is common and not a risk signal here. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 5.18.0 | 25 / 0 | |
| 5.17.3 | 25 / 0 | |
| 5.17.2 | 25 / 0 | |
| 5.17.1 | 25 / 0 | |
| 5.17.0 | 25 / 0 | |
| 5.16.2 | 25 / 0 | |
| 5.16.1 | 25 / 0 | |
| 5.16.0 | 25 / 0 | |
| 5.15.6 | 25 / 0 | |
| 5.15.5 | 25 / 0 | |
| 5.15.4 | 25 / 0 | |
| 5.15.3 | 25 / 0 | |
| 5.15.2 | 25 / 0 | |
| 5.15.1 | 25 / 0 | |
| 5.15.0 | 25 / 0 | |
| 5.14.4 | 25 / 0 | |
| 5.14.3 | 25 / 0 | |
| 5.14.2 | 25 / 0 | |
| 5.14.1 | 25 / 0 | |
| 5.14.0 | 25 / 0 | |
| 5.13.6 | 25 / 0 | |
| 5.13.5 | 25 / 0 | |
| 5.13.4 | 25 / 0 | |
| 5.13.3 | 25 / 0 | |
| 5.13.2 | 25 / 0 | |
| 5.13.1 | 25 / 0 | |
| 5.13.0 | 25 / 0 | |
| 5.12.3 | 25 / 0 | |
| 5.12.2 | 25 / 0 |
v5.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.17.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.