← Home

@auth0/auth0-spa-js

37
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

auth0-ossauth0npmauth0brokkrjesseleoktajeffoktajeffbsmith-auth0sanjay.manikandhanniltorresatkohenry.mcardlenicolas.villalobosjosecarlos-chavez_atkotj.oktasgarcia-atkoroger.chanmaaantonelewisbyrne-oktatarunpreet.kaur

Keywords

auth0loginAuthorization Code Grant FlowPKCESingle Page Application authenticationSPA authentication

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-removed AI (maintainer-change): Consistent with Auth0's org-wide shift to CI-based publishing; not indicative of takeover. ai
provenance publisher-changed AI (provenance): Auth0 migrated to GitHub Actions CI publishing; SLSA attestation confirms legitimate automated release pipeline. ai
source-diff encoded-string-file:dist/auth0-spa-js.development.js AI (source-diff): Same inlined Web Worker pattern; benign for this package. ai
source-diff encoded-string-file:dist/auth0-spa-js.production.esm.js AI (source-diff): Same inlined Web Worker pattern; benign for this package. ai
source-diff encoded-string-file:dist/lib/auth0-spa-js.cjs.js AI (source-diff): Base64 is a rollup-plugin-web-worker-loader inlined worker bundle; stable pattern across all build outputs of this package. ai
source-diff encoded-string-file:dist/auth0-spa-js.production.js AI (source-diff): Same inlined Web Worker pattern; benign for this package. ai
publish-pattern dormant-publish AI (publish-pattern): Established Auth0 SDK with 119 versions; dormancy period reflects normal release cadence, not account takeover. ai
dependencies unvetted-dep:es-cookie AI (dependencies): es-cookie is a well-known cookie utility; no malware indicators, appropriate for SPA auth SDK. ai
dependencies unvetted-dep:dpop AI (dependencies): dpop is a standard OAuth DPoP library; expected dependency for this Auth0 SDK. ai
dependencies unvetted-dep:@auth0/auth0-auth-js AI (dependencies): First-party Auth0 dependency; expected in Auth0 SDK ecosystem. ai

Versions (showing 37 of 37)

Version Deps Published
2.23.0 4 / 46
2.22.0 4 / 46
2.21.2 4 / 46
2.21.1 4 / 46
2.21.0 4 / 46
2.20.0 4 / 46
2.19.3 4 / 46
2.19.2 4 / 47
2.19.1 4 / 47
2.19.0 4 / 47
2.18.3 4 / 47
2.18.2 4 / 47
2.18.1 4 / 47
2.18.0 4 / 46
2.17.1 4 / 46
2.17.0 4 / 47
2.16.0 4 / 47
2.15.0 4 / 47
2.14.0 4 / 47
2.13.1 4 / 47
2.13.0 4 / 47
2.12.0 4 / 47
2.11.3 3 / 44
2.11.2 3 / 44
2.11.1 3 / 44
2.11.0 3 / 44
2.10.0 3 / 44
2.9.1 3 / 44
2.9.0 3 / 44
2.8.0 3 / 44
2.7.0 3 / 44
2.6.0 3 / 44
2.5.0 3 / 44
2.4.1 3 / 44
2.4.0 0 / 47
2.3.0 0 / 45
2.2.0 0 / 45

v2.23.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.22.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.21.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.21.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.21.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.