@defra/forms-engine-plugin
Defra forms engine
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): chokidar is a well-known file-watcher; phantom-dep finding confirms it's not directly imported in runtime code. | ai | |
| dependencies | unvetted-dep:@hapi/jwt | AI (dependencies): Official @hapi scoped JWT plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/yar | AI (dependencies): Official @hapi scoped session plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:hapi-pino | AI (dependencies): Well-known hapi.js logging plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:hapi-pulse | AI (dependencies): Well-known hapi.js graceful shutdown plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/crumb | AI (dependencies): Official @hapi scoped CSRF plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/inert | AI (dependencies): Official @hapi scoped static file plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/vision | AI (dependencies): Official @hapi scoped template rendering plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/scooter | AI (dependencies): Official @hapi scoped user-agent plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:@hapi/catbox-redis | AI (dependencies): Official @hapi scoped Redis cache adapter; no security concerns. | ai | |
| dependencies | unvetted-dep:@defra/hapi-tracing | AI (dependencies): Same DEFRA org tracing plugin; consistent publisher provenance. | ai | |
| dependencies | unvetted-dep:@elastic/ecs-pino-format | AI (dependencies): Official Elastic ECS log formatter; no security concerns. | ai | |
| dependencies | unvetted-dep:@types/humanize-duration | AI (dependencies): Type definitions package only; no runtime risk. | ai | |
| dependencies | unvetted-dep:blipp | AI (dependencies): Well-known hapi.js route listing plugin; no security concerns. | ai | |
| dependencies | unvetted-dep:blankie | AI (dependencies): Well-known hapi.js CSP plugin; no security concerns. | ai | |
| phantom-deps | phantom-dep:blankie | AI (phantom-deps): Loaded by hapi plugin convention, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): Dev/logging tool loaded by config convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:humanize-duration | AI (phantom-deps): Loaded indirectly via config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@defra/interactive-map | AI (phantom-deps): Same-org package loaded by plugin convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/humanize-duration | AI (phantom-deps): Types package loaded by framework convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:atob | AI (phantom-deps): Polyfill declared for compatibility; stable false positive. | ai | |
| phantom-deps | phantom-dep:btoa | AI (phantom-deps): Polyfill declared for compatibility; stable false positive. | ai | |
| phantom-deps | phantom-dep:outdent | AI (phantom-deps): Template utility loaded by config; stable false positive. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): Dev watch tool loaded by config; stable false positive. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall only runs husky init with a safe no-op fallback; standard dev-tooling pattern for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is used to parse TLS trust-store certs from env vars — legitimate and documented pattern. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 4.14.3 | 52 / 82 | |
| 4.14.2 | 51 / 81 | |
| 4.10.0 | 50 / 81 | |
| 4.9.2 | 50 / 81 | |
| 4.0.41 | 45 / 77 | |
| 4.0.29 | 44 / 77 | |
| 4.0.22 | 43 / 77 | |
| 4.0.13 | 44 / 77 | |
| 4.0.9 | 44 / 77 | |
| 4.0.8 | 44 / 77 | |
| 4.0.7 | 44 / 77 |
v4.14.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.14.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.