@barchart/chart-lib
Barchart HTML5 Streaming Chart
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside minified chart bundle; pattern is from date/timezone parsing, not dynamic code execution of external input. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in minified bundle is a common bundler/transpiler artifact, not obfuscation for evasion. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Proprietary UNLICENSED compiled artifact; no repo/deps/keywords is expected for this distribution pattern. | ai |
Versions (showing 51 of 225)
| Version | Deps | Published |
|---|---|---|
| 2.386.8 | 0 / 0 | |
| 2.386.7 | 0 / 0 | |
| 2.386.6 | 0 / 0 | |
| 2.386.5 | 0 / 0 | |
| 2.386.3 | 0 / 0 | |
| 2.386.1 | 0 / 0 | |
| 2.386.0 | 0 / 0 | |
| 2.385.2 | 0 / 0 | |
| 2.385.1 | 0 / 0 | |
| 2.385.0 | 0 / 0 | |
| 2.384.3 | 0 / 0 | |
| 2.384.2 | 0 / 0 | |
| 2.384.1 | 0 / 0 | |
| 2.384.0 | 0 / 0 | |
| 2.383.1 | 0 / 0 | |
| 2.383.0 | 0 / 0 | |
| 2.382.2 | 0 / 0 | |
| 2.382.1 | 0 / 0 | |
| 2.382.0 | 0 / 0 | |
| 2.381.3 | 0 / 0 | |
| 2.381.2 | 0 / 0 | |
| 2.381.1 | 0 / 0 | |
| 2.381.0 | 0 / 0 | |
| 2.380.2 | 0 / 0 | |
| 2.380.0 | 0 / 0 | |
| 2.379.5 | 0 / 0 | |
| 2.379.4 | 0 / 0 | |
| 2.379.3 | 0 / 0 | |
| 2.379.2 | 0 / 0 | |
| 2.379.1 | 0 / 0 | |
| 2.379.0 | 0 / 0 | |
| 2.378.0 | 0 / 0 | |
| 2.377.6 | 0 / 0 | |
| 2.377.5 | 0 / 0 | |
| 2.377.4 | 0 / 0 | |
| 2.377.3 | 0 / 0 | |
| 2.377.2 | 0 / 0 | |
| 2.377.0 | 0 / 0 | |
| 2.376.6 | 0 / 0 | |
| 2.376.5 | 0 / 0 | |
| 2.376.4 | 0 / 0 | |
| 2.376.2 | 0 / 0 | |
| 2.376.1 | 0 / 0 | |
| 2.376.0 | 0 / 0 | |
| 2.375.1 | 0 / 0 | |
| 2.375.0 | 0 / 0 | |
| 2.374.5 | 0 / 0 | |
| 2.374.4 | 0 / 0 | |
| 2.374.2 | 0 / 0 | |
| 2.374.1 | 0 / 0 | |
| 2.374.0 | 0 / 0 |
v2.386.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.386.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.385.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.385.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.385.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.384.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.384.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.384.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.384.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.383.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.383.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.382.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.382.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.382.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.381.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.381.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.381.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.380.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.380.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.379.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.379.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.379.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.379.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.379.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.378.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.377.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.376.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.376.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.376.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.376.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.376.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.376.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.375.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.375.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.374.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.374.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.374.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.374.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.374.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.