@camozdevelopment/velox
Velox framework meta-package — installs core, DOM runtime, compiler (Vite), router, forms, and CLI
2
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
camozdevelopment
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@camozdevelopment/velox-cli | AI (phantom-deps): Meta-package; deps are re-exported transitively, not directly imported. Stable pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Intentional meta-package with no code payload; sparse docs and tiny size are expected for this pattern. | ai | |
| phantom-deps | phantom-dep:@camozdevelopment/velox-forms | AI (phantom-deps): Meta-package pattern: deps are re-exported sub-packages, not directly imported. | ai | |
| phantom-deps | phantom-dep:@camozdevelopment/velox-dom | AI (phantom-deps): Meta-package pattern: deps are re-exported sub-packages, not directly imported. | ai | |
| phantom-deps | phantom-dep:@camozdevelopment/velox-compiler | AI (phantom-deps): Meta-package pattern: deps are re-exported sub-packages, not directly imported. | ai | |
| phantom-deps | phantom-dep:@camozdevelopment/velox-router | AI (phantom-deps): Meta-package pattern: deps are re-exported sub-packages, not directly imported. | ai | |
| phantom-deps | phantom-dep:@camozdevelopment/velox-core | AI (phantom-deps): Meta-package pattern: deps are re-exported sub-packages, not directly imported. | ai |
v0.2.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.