@barchart/chart-lib
Barchart HTML5 Streaming Chart
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside minified chart bundle; pattern is from date/timezone parsing, not dynamic code execution of external input. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in minified bundle is a common bundler/transpiler artifact, not obfuscation for evasion. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Proprietary UNLICENSED compiled artifact; no repo/deps/keywords is expected for this distribution pattern. | ai |
Versions (showing 25 of 235)
| Version | Deps | Published |
|---|---|---|
| 2.312.2 | 0 / 0 | |
| 2.312.1 | 0 / 0 | |
| 2.312.0 | 0 / 0 | |
| 2.311.2 | 0 / 0 | |
| 2.311.1 | 0 / 0 | |
| 2.311.0 | 0 / 0 | |
| 2.310.2 | 0 / 0 | |
| 2.310.1 | 0 / 0 | |
| 2.310.0 | 0 / 0 | |
| 2.309.0 | 0 / 0 | |
| 2.308.2 | 0 / 0 | |
| 2.308.1 | 0 / 0 | |
| 2.308.0 | 0 / 0 | |
| 2.307.0 | 0 / 0 | |
| 2.306.0 | 0 / 0 | |
| 2.305.12 | 0 / 0 | |
| 2.305.11 | 0 / 0 | |
| 2.305.10 | 0 / 0 | |
| 2.305.9 | 0 / 0 | |
| 2.305.8 | 0 / 0 | |
| 2.305.7 | 0 / 0 | |
| 2.305.6 | 0 / 0 | |
| 2.305.5 | 0 / 0 | |
| 2.305.4 | 0 / 0 | |
| 2.305.3 | 0 / 0 |
v2.312.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.312.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.312.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.311.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.311.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.311.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.310.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.310.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.310.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.309.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.308.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.308.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.308.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.307.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.306.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.305.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.