@atomicservice/ascf-toolkit

ASCF toolkit for atomicservice

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

atomicservice

Keywords

atomicserviceloaderwebpack

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): HDC device executor communicates with local device IPs; expected for this toolkit.	ai	2026/05/29
semgrep	semgrep:hex-decode	AI (semgrep): Signing/crypto tooling legitimately uses hex encoding; no exfiltration pattern evident.	ai	2026/05/29
semgrep	semgrep:child-process-spawn	AI (semgrep): CLI toolkit spawning processes is expected; consistent with ascf build tooling.	ai	2026/05/29
phantom-deps	phantom-dep:less	AI (phantom-deps): Peer/optional dep for webpack pipeline configuration; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:sass	AI (phantom-deps): Peer/optional dep for webpack pipeline configuration; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:eslint	AI (phantom-deps): Peer/optional dep for webpack pipeline configuration; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:log4js	AI (phantom-deps): Logging dep referenced via config convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:express	AI (phantom-deps): Dev server dep; stable false positive for this toolkit.	ai	2026/05/20
phantom-deps	phantom-dep:less-loader	AI (phantom-deps): Webpack loader dep declared for downstream consumers; stable false positive.	ai	2026/05/20
semgrep	semgrep:child-process-import	AI (semgrep): CLI build toolkit; child_process use in version-check.js is expected for a tool that runs system commands.	ai	2026/05/20
phantom-deps	phantom-dep:babel-loader	AI (phantom-deps): Webpack loader dep declared for downstream consumers; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Framework-scoped dep loaded by convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@babel/preset-env	AI (phantom-deps): Framework-scoped dep loaded by convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@babel/plugin-transform-runtime	AI (phantom-deps): Framework-scoped dep loaded by convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@babel/plugin-transform-class-properties	AI (phantom-deps): Framework-scoped dep loaded by convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@babel/plugin-transform-modules-commonjs	AI (phantom-deps): Framework-scoped dep loaded by convention; stable false positive.	ai	2026/05/20
phantom-deps	phantom-dep:sass-loader	AI (phantom-deps): Webpack loader dep declared for downstream consumers; stable false positive.	ai	2026/05/20
semgrep	semgrep:dynamic-require	AI (semgrep): extract-loader.js is a webpack loader; dynamic require is inherent to loader design.	ai	2026/05/20
phantom-deps	phantom-dep:tar	AI (phantom-deps): Toolkit declares deps for downstream consumers; phantom-dep heuristic is a stable false positive here.	ai	2026/05/20

Versions (showing 8 of 8)

Version	Deps	Published
1.0.17	36 / 9	2026-04-30
1.0.16	35 / 9	2026-03-31
1.0.15	35 / 7	2026-02-06
1.0.14	35 / 7	2026-01-05
1.0.13	35 / 7	2025-11-21
1.0.12	34 / 7	2025-10-29
1.0.11	34 / 7	2025-09-30
1.0.10	33 / 7	2025-09-15