@auth0/auth0-spa-js
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Consistent with Auth0's org-wide shift to CI-based publishing; not indicative of takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Auth0 migrated to GitHub Actions CI publishing; SLSA attestation confirms legitimate automated release pipeline. | ai | |
| source-diff | encoded-string-file:dist/auth0-spa-js.development.js | AI (source-diff): Same inlined Web Worker pattern; benign for this package. | ai | |
| source-diff | encoded-string-file:dist/auth0-spa-js.production.esm.js | AI (source-diff): Same inlined Web Worker pattern; benign for this package. | ai | |
| source-diff | encoded-string-file:dist/lib/auth0-spa-js.cjs.js | AI (source-diff): Base64 is a rollup-plugin-web-worker-loader inlined worker bundle; stable pattern across all build outputs of this package. | ai | |
| source-diff | encoded-string-file:dist/auth0-spa-js.production.js | AI (source-diff): Same inlined Web Worker pattern; benign for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Established Auth0 SDK with 119 versions; dormancy period reflects normal release cadence, not account takeover. | ai | |
| dependencies | unvetted-dep:es-cookie | AI (dependencies): es-cookie is a well-known cookie utility; no malware indicators, appropriate for SPA auth SDK. | ai | |
| dependencies | unvetted-dep:dpop | AI (dependencies): dpop is a standard OAuth DPoP library; expected dependency for this Auth0 SDK. | ai | |
| dependencies | unvetted-dep:@auth0/auth0-auth-js | AI (dependencies): First-party Auth0 dependency; expected in Auth0 SDK ecosystem. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 2.23.0 | 4 / 46 | |
| 2.22.0 | 4 / 46 | |
| 2.21.2 | 4 / 46 | |
| 2.21.1 | 4 / 46 | |
| 2.21.0 | 4 / 46 | |
| 2.20.0 | 4 / 46 | |
| 2.19.3 | 4 / 46 | |
| 2.19.2 | 4 / 47 | |
| 2.19.1 | 4 / 47 | |
| 2.19.0 | 4 / 47 | |
| 2.18.3 | 4 / 47 | |
| 2.18.2 | 4 / 47 | |
| 2.18.1 | 4 / 47 | |
| 2.18.0 | 4 / 46 | |
| 2.17.1 | 4 / 46 | |
| 2.17.0 | 4 / 47 | |
| 2.16.0 | 4 / 47 | |
| 2.15.0 | 4 / 47 | |
| 2.14.0 | 4 / 47 | |
| 2.13.1 | 4 / 47 | |
| 2.13.0 | 4 / 47 | |
| 2.12.0 | 4 / 47 | |
| 2.11.3 | 3 / 44 | |
| 2.11.2 | 3 / 44 | |
| 2.11.1 | 3 / 44 | |
| 2.11.0 | 3 / 44 | |
| 2.10.0 | 3 / 44 | |
| 2.9.1 | 3 / 44 | |
| 2.9.0 | 3 / 44 | |
| 2.8.0 | 3 / 44 | |
| 2.7.0 | 3 / 44 | |
| 2.6.0 | 3 / 44 | |
| 2.5.0 | 3 / 44 | |
| 2.4.1 | 3 / 44 | |
| 2.4.0 | 0 / 47 | |
| 2.3.0 | 0 / 45 | |
| 2.2.0 | 0 / 45 |
v2.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.