← Home

@casual-simulation/aux-vm

npm Repository Homepage

A set of abstractions required to securely run an AUX.

7
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kallyngowdyyeticasualsimulation

Keywords

aux

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@casual-simulation/fast-json-stable-stringify AI (dependencies): Same-org monorepo dependency; consistent across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/undom AI (dependencies): Same-org monorepo dependency; consistent across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/crypto AI (dependencies): Same-org monorepo dependency; consistent across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/timesync AI (dependencies): Same-org monorepo dependency; consistent across all versions of this package. ai
provenance no-provenance AI (provenance): Long-established package with consistent publishing history; lack of provenance is not anomalous here. ai
phantom-deps phantom-dep:htm AI (phantom-deps): Monorepo build artifact; declared dep used in config/bundling, not a direct import. ai
phantom-deps phantom-dep:comlink AI (phantom-deps): Monorepo build artifact; declared dep used in config/bundling, not a direct import. ai
phantom-deps phantom-dep:@casual-simulation/crypto AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic is unreliable for monorepo packages. ai

Versions (showing 7 of 7)

Version Deps Published
4.2.4 16 / 0
4.2.3 16 / 0
4.1.0 16 / 0
3.10.5 16 / 0
3.10.4 16 / 0
3.10.2 16 / 0
3.8.1 16 / 0

v4.2.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.