@c8y/ng1-modules
AngularJS modules for Cumulocity IoT applications.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:enterpriseEdition/customBranding/brandingConfigurationForm.component.js | AI (source-diff): Minified build output from uglify-js; readable AngularJS component logic, no malicious patterns. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New modules (remoteAccess, SNMP, branding) explain the 47 new files; consistent with feature additions in this IoT platform. | ai | |
| source-diff | obfuscated-file:device-protocol-snmp/snmp-device.provider.js | AI (source-diff): Minified build output; SNMP device provider, consistent with IoT platform scope. | ai | |
| source-diff | obfuscated-file:remoteAccess/remoteAccessUI.provider.js | AI (source-diff): Minified build output; remote access UI provider, no malicious patterns. | ai | |
| source-diff | obfuscated-file:remoteAccess/remoteAccessEndpointModal/remoteAccessEndpointModal.component.js | AI (source-diff): Minified build output; endpoint modal component, no malicious patterns. | ai | |
| source-diff | obfuscated-file:remoteAccess/remoteAccess.service.js | AI (source-diff): Minified build output; remote access service using noVNC/xterm, consistent with new deps. | ai | |
| source-diff | obfuscated-file:core/ui/controllers/radialGauge.js | AI (source-diff): Minified build output; d3-based gauge widget, no malicious patterns. | ai | |
| source-diff | obfuscated-file:tenants/controllers/detail.js | AI (source-diff): Minified build output; tenant management controller, no malicious patterns. | ai | |
| source-diff | obfuscated-file:enterpriseEdition/customBranding/brandingDeploy.service.js | AI (source-diff): Minified build output; branding deploy service logic, no exfiltration. | ai | |
| source-diff | obfuscated-file:enterpriseEdition/customBranding/brandingConfigurationUi.provider.js | AI (source-diff): Minified build output; standard polyfill helpers + AngularJS provider logic. | ai | |
| source-diff | obfuscated-file:eventList/eventList.controller.js | AI (source-diff): Package uses uglify-js to minify Angular controllers as part of its documented build process; minified output is expected across all versions. | ai | |
| phantom-deps | phantom-dep:xterm | AI (phantom-deps): xterm referenced in config files; consistent with this package's AngularJS wrapper pattern. | ai | |
| npm-metadata | url-dep:noVNC | AI (npm-metadata): Points to official novnc GitHub org at a pinned tag (v0.6.2); stable and intentional for this package. | ai | |
| phantom-deps | phantom-dep:xterm-addon-fit | AI (phantom-deps): xterm-addon-fit referenced in config files; same pattern as other phantom deps in this package. | ai | |
| phantom-deps | phantom-dep:noVNC | AI (phantom-deps): noVNC is a URL dep referenced in config; phantom-dep false positive for this AngularJS module bundle pattern. | ai | |
| npm-metadata | url-dep:angular-file-upload | AI (npm-metadata): Pinned tarball URL to a specific tag (1.6.12) on a known repo; stable pattern across versions of this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Large legacy AngularJS bundle; sparse metadata is structural, not spam. | ai | |
| phantom-deps | phantom-dep:@claviska/jquery-minicolors | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-cron-jobs | AI (phantom-deps): AngularJS module collection; deps loaded via config/bundler, not direct imports. Stable pattern. | ai | |
| phantom-deps | phantom-dep:fast-text-encoding | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-file-upload | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-schema-form | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-ui-sortable | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:@selectize/selectize | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-ui-bootstrap | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-dynamic-locale | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angular-leaflet-directive | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:angularjs-nvd3-directives | AI (phantom-deps): Same pattern — config-referenced dep, not directly imported. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:nvd3 | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:d3 | AI (phantom-deps): AngularJS bundle; deps declared for bundler/config consumption, not direct imports. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:angular-gettext | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-animate | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-ui-ace | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-qrcode | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-route | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-i18n | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ace-builds | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-messages | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular-sanitize | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ui-select | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:jquery-ui | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:bootstrap | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:payment | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:leaflet | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:angular | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:zip-js | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:ng-csv | AI (phantom-deps): Same AngularJS bundle pattern; stable false positive. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 1023.82.4 | 41 / 7 | |
| 1023.80.0 | 41 / 7 | |
| 1023.79.1 | 41 / 7 | |
| 1023.78.7 | 41 / 7 | |
| 1023.78.4 | 41 / 7 | |
| 1023.78.1 | 41 / 7 | |
| 1023.77.1 | 41 / 7 | |
| 1023.76.0 | 41 / 7 | |
| 1023.75.1 | 41 / 7 | |
| 1023.68.7 | 41 / 6 | |
| 1023.68.6 | 41 / 6 | |
| 1023.68.3 | 41 / 6 | |
| 1023.68.0 | 41 / 6 | |
| 1023.67.0 | 41 / 6 | |
| 1023.66.3 | 41 / 6 | |
| 1023.65.2 | 41 / 6 | |
| 1023.65.1 | 41 / 6 | |
| 1023.64.2 | 41 / 6 | |
| 1023.14.157 | 41 / 7 | |
| 1023.14.154 | 41 / 7 | |
| 1023.14.150 | 41 / 7 | |
| 1023.14.146 | 41 / 7 | |
| 1023.14.145 | 41 / 7 | |
| 1023.14.144 | 41 / 7 | |
| 1023.14.142 | 41 / 6 | |
| 1023.14.141 | 41 / 6 | |
| 1023.14.139 | 41 / 6 | |
| 1023.14.138 | 41 / 6 | |
| 1023.14.136 | 41 / 6 | |
| 1023.14.135 | 41 / 6 | |
| 1021.22.164 | 44 / 5 | |
| 1021.22.163 | 44 / 5 | |
| 1021.22.162 | 44 / 5 | |
| 1021.22.158 | 44 / 5 |
v1023.82.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.80.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.79.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.78.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.77.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.75.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.68.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.67.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.66.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.65.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.65.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.64.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.157
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.154
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.150
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1023.14.146
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.145
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.144
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.142
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.141
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.139
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.138
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.136
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1023.14.135
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1021.22.164
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.163
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.162
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1021.22.158
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.