@capacitor/core No license 18 versions

@capacitor/core

npm Repository Homepage

18

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

itschacedionicjsjcesarmobilevmfojpendermark-ionicchuckytuhalexgerardojacintoos-pedrobilroharvdoggyjpender-osndrkepatotorui.mendesmarkemercapacitor-plugin-boteric-ionicos-ruialves

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:cors	AI (typosquat): @capacitor/core is the official Ionic/Capacitor framework core package, not a typosquat of 'cors'. The name similarity is coincidental; this is a stable false positive.	ai	2026/04/27
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in cordova.js is standard Cordova module loader resolution logic, not arbitrary code loading. Stable false positive for this package.	ai	2026/04/27
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decode in cordova.js is standard binary data handling for native-to-web data transfer in Capacitor/Cordova. Legitimate and expected pattern.	ai	2026/04/27
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a declared runtime dependency used implicitly by TypeScript-compiled output. This is a known pattern and a stable false positive for TypeScript packages.	ai	2026/04/27

Versions (showing 18 of 18)

Version	Deps	Published
8.3.4	1 / 11	2026-05-12
8.3.3	1 / 11	2026-05-08
8.3.2	1 / 11	2026-05-07
8.3.1	1 / 11	2026-04-16
8.3.0	1 / 11	2026-03-25
8.2.0	1 / 11	2026-03-06
8.1.0	1 / 11	2026-02-11
8.0.2	1 / 11	2026-01-27
8.0.1	1 / 11	2026-01-13
8.0.0	1 / 11	2025-12-08
7.6.5	1 / 11	2026-05-12
7.6.4	1 / 11	2026-05-08
7.6.3	1 / 11	2026-05-07
7.6.2	1 / 11	2026-04-16
7.6.1	1 / 11	2026-03-25
7.6.0	1 / 11	2026-03-06
7.5.0	1 / 11	2026-02-11
7.4.5	1 / 11	2026-01-13

v8.3.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.3.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.3.1

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@capacitor/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.2

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@capacitor/core' is 1 edit(s) away from popular package 'cors'.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.4.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.