@drifted/assets
collection of javascript and css assets that I use on most projects and a way to package them together.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Consistent across all 64 versions; maintainer hasn't enabled Sigstore provenance — stable false-positive for this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): High-frequency versioning pattern consistent across 64 releases; no malicious indicators. | ai | |
| source-diff | encoded-string-file:public/dependencies.js | AI (source-diff): Encoded string is base64 WASM binary (AGFzbQ magic bytes); legitimate SIMD WASM bundle, stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Require target is a fixed __dirname-relative path, not user-controlled; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:public/marked.js | AI (source-diff): File is the canonical marked.js bundle (MIT, markedjs/marked); minification is expected for a bundled asset package. | ai | |
| phantom-deps | phantom-dep:carrier-pigeon | AI (phantom-deps): Declared dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Declared dep referenced in config; phantom-dep heuristic false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside vendored underscore.js template engine — standard pattern, not attacker-controlled input. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 0.0.132 | 4 / 3 | |
| 0.0.131 | 4 / 3 | |
| 0.0.123 | 4 / 3 | |
| 0.0.122 | 3 / 3 | |
| 0.0.121 | 3 / 3 | |
| 0.0.120 | 3 / 3 | |
| 0.0.118 | 3 / 3 | |
| 0.0.116 | 3 / 3 | |
| 0.0.115 | 3 / 3 | |
| 0.0.112 | 3 / 3 | |
| 0.0.111 | 3 / 3 | |
| 0.0.110 | 3 / 3 | |
| 0.0.108 | 2 / 3 | |
| 0.0.106 | 2 / 3 | |
| 0.0.104 | 2 / 3 | |
| 0.0.101 | 2 / 3 | |
| 0.0.90 | 2 / 3 | |
| 0.0.89 | 2 / 3 | |
| 0.0.86 | 2 / 3 | |
| 0.0.83 | 2 / 3 | |
| 0.0.82 | 2 / 3 | |
| 0.0.81 | 2 / 3 | |
| 0.0.80 | 2 / 3 | |
| 0.0.68 | 2 / 3 | |
| 0.0.66 | 2 / 3 | |
| 0.0.65 | 2 / 3 | |
| 0.0.62 | 2 / 3 | |
| 0.0.61 | 2 / 3 | |
| 0.0.60 | 2 / 3 | |
| 0.0.55 | 2 / 3 | |
| 0.0.40 | 2 / 3 | |
| 0.0.34 | 2 / 3 | |
| 0.0.33 | 2 / 3 | |
| 0.0.32 | 2 / 3 | |
| 0.0.31 | 2 / 3 | |
| 0.0.30 | 2 / 3 | |
| 0.0.28 | 2 / 3 |
v0.0.132
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.131
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.123
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.122
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.121
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.120
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.116
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.115
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.111
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.110
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.90
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.89
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.86
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.83
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.82
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.81
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.80
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.68
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.66
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.65
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.62
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.61
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.60
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.55
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.34
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.31
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.