@datagrok-libraries/ml
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Internal datagrok org library; sparse metadata is consistent across the package family. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @datagrok-libraries/ml cannot plausibly typosquat 'qs'; Levenshtein match is spurious. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Declared dep in a library bundle; may be used indirectly or in config — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:umap-js | AI (phantom-deps): ML library legitimately depends on umap-js for dimensionality reduction; phantom-dep is a heuristic false positive. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @datagrok-libraries/ml cannot plausibly typosquat 'pg'; Levenshtein match is spurious. | ai | |
| phantom-deps | phantom-dep:@webgpu/types | AI (phantom-deps): Type-only package for WebGPU; used at compile time, not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:@types/seedrandom | AI (phantom-deps): Type definitions package; framework-scoped, not directly imported. | ai | |
| phantom-deps | phantom-dep:cash-dom | AI (phantom-deps): Datagrok UI library dependency; stable false positive for this package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 6.10.13 | 17 / 11 | |
| 6.10.12 | 17 / 11 | |
| 6.10.11 | 17 / 11 | |
| 6.10.10 | 17 / 11 | |
| 6.10.9 | 17 / 11 | |
| 6.10.8 | 17 / 11 | |
| 6.10.7 | 17 / 11 | |
| 6.10.6 | 16 / 11 | |
| 6.10.5 | 16 / 11 | |
| 6.10.4 | 16 / 11 | |
| 6.10.3 | 16 / 11 | |
| 6.10.2 | 16 / 10 | |
| 6.10.1 | 16 / 10 |
v6.10.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.6
2 findingsThis version was published by a different npm account than previous versions on 2025-10-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.