← Home

@cosmograph/cosmograph

npm

Cosmograph: The fastest web-based graph visualization library

8
Versions
CC-BY-NC-4.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kolmakovarokotyanstukova

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@uwdata/vgplot AI (dependencies): Legitimate UW Data Lab visualization library; consistent with cosmograph's data-viz use case. ai
dependencies unvetted-dep:@cosmos.gl/graph AI (dependencies): First-party dependency from the same cosmograph/cosmos.gl org; expected stable dep. ai
dependencies unvetted-dep:@uwdata/mosaic-plot AI (dependencies): Legitimate UW Data Lab visualization library; consistent with cosmograph's data-viz use case. ai
phantom-deps phantom-dep:@supabase/supabase-js AI (phantom-deps): supabase-js likely used conditionally/optionally; stable false positive for this package. ai
phantom-deps phantom-dep:d3-selection AI (phantom-deps): Same as d3-array; bundler-resolved transitive dep. ai
phantom-deps phantom-dep:d3-interpolate AI (phantom-deps): Same as d3-array; bundler-resolved transitive dep. ai
phantom-deps phantom-dep:d3-array AI (phantom-deps): d3 modules are peer/transitive deps used via bundler; phantom-dep is a stable false positive for this package. ai
phantom-deps phantom-dep:@uwdata/mosaic-plot AI (phantom-deps): Declared in package.json; used indirectly via bundler config. ai
phantom-deps phantom-dep:dompurify AI (phantom-deps): DOMPurify is declared in package.json; phantom-dep is a false positive for this package. ai
phantom-deps phantom-dep:d3-brush AI (phantom-deps): Same as d3-array; bundler-resolved transitive dep. ai
phantom-deps phantom-dep:d3-color AI (phantom-deps): Same as d3-array; bundler-resolved transitive dep. ai
phantom-deps phantom-dep:d3-scale AI (phantom-deps): Same as d3-array; bundler-resolved transitive dep. ai

Versions (showing 8 of 8)

Version Deps Published
2.3.2 17 / 0
2.3.1 17 / 0
2.3.0 17 / 0
2.2.1 17 / 0
2.2.0 17 / 0
2.1.0 16 / 0
2.0.1 16 / 0
2.0.0 16 / 0

v2.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.