@capacitor/[email protected] rejected Risk: 60 No license 2026-04-13

@capacitor/camera @8.1.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

83.3 KB

Package Size

2026-04-13

Published

Maintainers

itschacedionicjsjcesarmobilevmfojpenderdtarnawskymark-ionicalexgerardojacintoos-pedrobilroharvdoggyjpender-osndrkepatotorui.mendesmarkemercapacitor-plugin-boteric-ionicos-ruialves

Keywords

capacitorpluginnative

Dev Dependencies (21)

Package	Constraint	Registry Status
eslint	^8.57.1	auto_approved
rimraf	^6.1.0	auto_approved
rollup	^4.53.2	auto_approved
prettier	^3.6.2	auto_approved
swiftlint	^2.0.0	Not imported
typescript	^5.9.3	auto_approved
@types/node	^24.10.1	auto_approved
@capacitor/ios	^8.0.0	pending
@capacitor/core	^8.0.0	auto_approved
semantic-release	^25.0.2	auto_approved
@capacitor/docgen	0.3.0	Not imported
@capacitor/android	^8.0.0	auto_approved
@ionic/eslint-config	^0.4.0	Not imported
prettier-plugin-java	^2.7.7	pending
@semantic-release/git	^10.0.1	auto_approved
@semantic-release/npm	^13.1.2	auto_approved
@ionic/prettier-config	^4.0.0	Not imported
@semantic-release/exec	^7.1.0	pending
@ionic/swiftlint-config	^2.0.0	Not imported
@semantic-release/github	^12.0.2	auto_approved
@semantic-release/changelog	^6.0.3	auto_approved

Changes from v7.0.5

No metadata changes detected.

File Changes

9 added 2 removed 20 modified size delta: +245.5 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`regressed-provenance`	provenance	reject	AI	AI (provenance): Official Ionic/Capacitor packages publish with CI provenance; regression is a strong compromise indicator.
`publisher-changed`	provenance	reject	AI	AI (provenance): New publisher with 0 prior publishes taking over an established Ionic org package is high-risk.

SAST Findings (2)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Publisher changed: capacitor-plugin-bot → os-pedrobilro (on 2026-04-13) provenance

This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 60. Findings: 2 high (+50), 1 medium (+10).

Commit: 402bba25b88f Browse source

Published to npm: 2026-04-13