@aquera/nile-elements
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Long strings are minified web component JS (lit directives, icon maps); consistent with a large UI component library bundle. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Runs local postinstall.js; figlet+chalk deps suggest a banner script, not exfiltration. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@open-wc/form-control | AI (phantom-deps): Declared dep used in config/types for web-component form integration; not a direct import by design. | ai | |
| phantom-deps | phantom-dep:@open-wc/form-helpers | AI (phantom-deps): Same rationale as @open-wc/form-control. | ai | |
| phantom-deps | phantom-dep:element-internals-polyfill | AI (phantom-deps): Polyfill loaded via side-effect in config; not directly imported in source files. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.7.7 | 19 / 30 | |
| 1.7.6 | 19 / 30 | |
| 1.7.5 | 19 / 30 | |
| 1.7.4 | 19 / 30 | |
| 1.7.3 | 19 / 30 | |
| 1.7.2 | 19 / 30 | |
| 1.7.1 | 18 / 30 | |
| 1.7.0 | 18 / 30 | |
| 1.6.9 | 18 / 30 | |
| 1.6.8 | 18 / 30 |
v1.7.7
2 findingsModified file contains 602 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.5
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.4
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.3
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.2
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.1
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.0
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.9
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.8
2 findingsScript: node postinstall.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.