← Home

@ax-llm/ax

npm Repository Homepage
6
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dosco

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern dormant-publish AI (publish-pattern): Package has SLSA provenance, established repo, and no code changes from prior version — dormancy gap is not indicative of takeover here. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in bundled LLM/template-engine code; consistent with legitimate dynamic code execution in this library. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get in bundled output is a common minifier/bundler pattern; no evidence of malicious intent. ai
email-domain unclaimed-email:https://twitter.com/dosco AI (email-domain): Author field contains a Twitter URL, not an email address; analyzer misfired on social link. ai
typosquat typosquat.levenshtein:pg AI (typosquat): Scoped package @ax-llm/ax is an LLM framework; Levenshtein match to 'pg' is a false positive. ai
install-scripts install-script:postinstall AI (install-scripts): Postinstall runs a local bundled script, not a remote fetch; consistent with established package pattern. ai
typosquat typosquat.levenshtein:qs AI (typosquat): Scoped package @ax-llm/ax is an LLM framework; Levenshtein match to 'qs' is a false positive. ai
typosquat typosquat.levenshtein:ajv AI (typosquat): Scoped package @ax-llm/ax is an LLM framework; Levenshtein match to 'ajv' is a false positive. ai

Versions (showing 6 of 6)

Version Deps Published
21.0.9 1 / 0
21.0.2 2 / 0
20.0.2 2 / 0
20.0.1 2 / 0
20.0.0 2 / 0
19.0.39 2 / 0

v21.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.0.0

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: node ./scripts/postinstall.mjs

HIGH Unclaimed maintainer email domain: https://twitter.com/dosco email-domain

Maintainer email 'https://twitter.com/dosco' uses domain 'https://twitter.com/dosco' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.39

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.