@auth0/auth0-spa-js — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

auth0-ossauth0npmauth0brokkrjesseleoktajeffoktajeffbsmith-auth0sanjay.manikandhanniltorresatkohenry.mcardlenicolas.villalobosjosecarlos-chavez_atkotj.oktasgarcia-atkoroger.chanmaaantonelewisbyrne-oktatarunpreet.kaur

Keywords

auth0loginAuthorization Code Grant FlowPKCESingle Page Application authenticationSPA authentication

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Consistent with Auth0's org-wide shift to CI-based publishing; not indicative of takeover.	ai	2026/05/03
provenance	publisher-changed	AI (provenance): Auth0 migrated to GitHub Actions CI publishing; SLSA attestation confirms legitimate automated release pipeline.	ai	2026/05/03
source-diff	encoded-string-file:dist/auth0-spa-js.development.js	AI (source-diff): Same inlined Web Worker pattern; benign for this package.	ai	2026/04/30
source-diff	encoded-string-file:dist/auth0-spa-js.production.esm.js	AI (source-diff): Same inlined Web Worker pattern; benign for this package.	ai	2026/04/30
source-diff	encoded-string-file:dist/lib/auth0-spa-js.cjs.js	AI (source-diff): Base64 is a rollup-plugin-web-worker-loader inlined worker bundle; stable pattern across all build outputs of this package.	ai	2026/04/30
source-diff	encoded-string-file:dist/auth0-spa-js.production.js	AI (source-diff): Same inlined Web Worker pattern; benign for this package.	ai	2026/04/30
publish-pattern	dormant-publish	AI (publish-pattern): Established Auth0 SDK with 119 versions; dormancy period reflects normal release cadence, not account takeover.	ai	2026/04/30
dependencies	unvetted-dep:es-cookie	AI (dependencies): es-cookie is a well-known cookie utility; no malware indicators, appropriate for SPA auth SDK.	ai	2026/04/29
dependencies	unvetted-dep:dpop	AI (dependencies): dpop is a standard OAuth DPoP library; expected dependency for this Auth0 SDK.	ai	2026/04/29
dependencies	unvetted-dep:@auth0/auth0-auth-js	AI (dependencies): First-party Auth0 dependency; expected in Auth0 SDK ecosystem.	ai	2026/04/29

Versions (showing 30 of 30)

Version	Deps	Published
2.19.2	4 / 47	2026-04-15
2.19.1	4 / 47	2026-04-13
2.19.0	4 / 47	2026-04-09
2.18.3	4 / 47	2026-03-30
2.18.2	4 / 47	2026-03-26
2.18.1	4 / 47	2026-03-26
2.18.0	4 / 46	2026-03-19
2.17.1	4 / 46	2026-03-12
2.17.0	4 / 47	2026-02-23
2.16.0	4 / 47	2026-02-17
2.15.0	4 / 47	2026-02-11
2.14.0	4 / 47	2026-02-05
2.13.1	4 / 47	2026-02-02
2.13.0	4 / 47	2026-01-30
2.12.0	4 / 47	2026-01-27
2.11.3	3 / 44	2026-01-16
2.11.2	3 / 44	2026-01-12
2.11.1	3 / 44	2026-01-08
2.11.0	3 / 44	2025-12-11
2.10.0	3 / 44	2025-12-03
2.9.1	3 / 44	2025-11-21
2.9.0	3 / 44	2025-11-17
2.8.0	3 / 44	2025-10-27
2.7.0	3 / 44	2025-10-17
2.6.0	3 / 44	2025-10-13
2.5.0	3 / 44	2025-10-01
2.4.1	3 / 44	2025-09-10
2.4.0	0 / 47	2025-09-08
2.3.0	0 / 45	2025-07-16
2.2.0	0 / 45	2025-05-29

v2.19.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.19.1

5 findings

HIGH Long encoded string in modified file: dist/lib/auth0-spa-js.cjs.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/auth0-spa-js.development.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/auth0-spa-js.production.esm.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/auth0-spa-js.production.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.18.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.18.2

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.18.1

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-03-26) provenance

This version was published by a different npm account than previous versions on 2026-03-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.18.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-03-19) provenance

This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.17.1

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-03-12) provenance

This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.17.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-02-23) provenance

This version was published by a different npm account than previous versions on 2026-02-23. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.16.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.15.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-02-11) provenance

This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.14.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-02-05) provenance

This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.1

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-02-02) provenance

This version was published by a different npm account than previous versions on 2026-02-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-01-30) provenance

This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.0

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-01-27) provenance

This version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.3

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-01-16) provenance

This version was published by a different npm account than previous versions on 2026-01-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.2

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-01-12) provenance

This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.1

2 findings

HIGH Publisher changed: auth0-oss → GitHub Actions (on 2026-01-08) provenance

This version was published by a different npm account than previous versions on 2026-01-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.9.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.