@contentauth/c2pa-web
The SDK for interacting with [C2PA metadata](https://c2pa.org/) on the web.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/c2pa-DlCQhbLd.js | AI (source-diff): Vite/Rollup bundle of wasm-bindgen glue code; minified output is expected for this WASM web package. | ai | |
| source-diff | net-exec-file:dist/c2pa-DlCQhbLd.js | AI (source-diff): Network calls are part of the WASM loading pattern; no dropper behavior — standard wasm-bindgen + channel messaging. | ai | |
| source-diff | obfuscated-file:dist/c2pa-DKxSS-my.js | AI (source-diff): Minified wasm-bindgen glue bundle; standard build artifact for this WASM-based package. | ai | |
| source-diff | net-exec-file:dist/c2pa-DKxSS-my.js | AI (source-diff): Network+exec pattern is wasm-bindgen worker messaging, not dropper behavior; consistent with package purpose. | ai | |
| source-diff | obfuscated-file:dist/c2pa-DI2x_NCv.js | AI (source-diff): Vite-bundled wasm-bindgen output; minification is expected for this WASM web library. | ai | |
| source-diff | net-exec-file:dist/c2pa-DI2x_NCv.js | AI (source-diff): Network calls are part of WASM module loading; no dropper behavior evident in wasm-bindgen glue code. | ai | |
| dependencies | unvetted-dep:@contentauth/c2pa-types | AI (dependencies): Same org scope (@contentauth) as the publishing package; low risk. | ai | |
| phantom-deps | phantom-dep:@contentauth/c2pa-wasm | AI (phantom-deps): Same-org WASM package; exported via package.json exports map, not a direct JS import — stable false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 0.8.4 | 4 / 8 | |
| 0.8.2 | 4 / 8 | |
| 0.8.1 | 4 / 8 | |
| 0.8.0 | 4 / 7 | |
| 0.7.1 | 4 / 7 |
v0.8.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.