@casual-simulation/aux-runtime
Runtime for AUX projects
5
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
kallyngowdyyeticasualsimulation
Keywords
auxso4realtimecrdt
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@casual-simulation/three | AI (dependencies): First-party org-scoped package; stable pattern across all versions. | ai | |
| phantom-deps | phantom-dep:expect | AI (phantom-deps): Test utility; phantom-dep heuristic false positive for this package. | ai | |
| dependencies | unvetted-dep:@types/estraverse | AI (dependencies): Type definitions package; no runtime risk. | ai | |
| dependencies | unvetted-dep:typesense | AI (dependencies): Well-known search client library; no malware signals. | ai | |
| dependencies | unvetted-dep:@casual-simulation/stacktrace | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@casual-simulation/engine262 | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@casual-simulation/js-interpreter | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@casual-simulation/error-stack-parser | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@casual-simulation/fast-json-stable-stringify | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/estraverse | AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/seedrandom | AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive. | ai | |
| dependencies | unvetted-dep:@casual-simulation/crypto | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@casual-simulation/expect | AI (dependencies): Same-org monorepo dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@casual-simulation/expect | AI (phantom-deps): Same-org dep declared in package.json; phantom-dep is a false positive. | ai | |
| phantom-deps | phantom-dep:@casual-simulation/stacktrace | AI (phantom-deps): Same-org dep declared in package.json; phantom-dep is a false positive. | ai | |
| phantom-deps | phantom-dep:lib0 | AI (phantom-deps): lib0 is a declared dependency used transitively via yjs; phantom-dep is a false positive here. | ai | |
| phantom-deps | phantom-dep:acorn-jsx | AI (phantom-deps): acorn-jsx is a declared runtime dep; phantom-dep heuristic misfires for this package. | ai | |
| phantom-deps | phantom-dep:three | AI (phantom-deps): three is a declared runtime dep; phantom-dep heuristic misfires for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() is used in a proxy trap for sandboxed JS runtime — expected pattern for this package. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): axios is a declared runtime dep; phantom-dep heuristic misfires for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 4.2.4 | 36 / 4 | |
| 4.2.3 | 36 / 4 | |
| 4.0.0 | 36 / 4 | |
| 3.10.4 | 36 / 4 | |
| 3.8.1 | 36 / 4 |
v4.2.4
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.4
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.