@e-llm-studio/requirement-ai
---
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/features/RequirementAI/components/userstory-with-citation/components/InlineUpdatedComponent.js | AI (source-diff): Standard minified build output for a React UI component library; no malicious patterns present. | ai | |
| source-diff | obfuscated-file:dist/cjs/features/RequirementAI/components/userstory-with-citation/components/InlineUpdatedComponent.js | AI (source-diff): Standard minified CJS build output; readable React component logic with no malicious patterns. | ai | |
| phantom-deps | phantom-dep:react-icons | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-window | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:monaco-editor | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:remark-breaks | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Same pattern — config-referenced peer dep in a UI component library. | ai | |
| phantom-deps | phantom-dep:react-virtualized-auto-sizer | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pdf-collaborative-tool | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:remark-gfm | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-syntax-highlighter | AI (phantom-deps): react-syntax-highlighter is a declared runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:radix-ui | AI (phantom-deps): radix-ui is a declared runtime dep used via config; phantom-dep heuristic false positive for this package. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 0.0.154 | 26 / 48 | |
| 0.0.150 | 26 / 48 | |
| 0.0.145 | 26 / 48 | |
| 0.0.137 | 26 / 48 | |
| 0.0.130 | 26 / 48 | |
| 0.0.129 | 26 / 48 | |
| 0.0.127 | 26 / 48 | |
| 0.0.117 | 24 / 47 | |
| 0.0.105 | 24 / 47 | |
| 0.0.104 | 24 / 47 | |
| 0.0.103 | 24 / 47 | |
| 0.0.73 | 24 / 47 | |
| 0.0.39 | 22 / 46 | |
| 0.0.16 | 22 / 46 | |
| 0.0.15 | 22 / 46 | |
| 0.0.9 | 21 / 46 |
v0.0.154
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.150
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.145
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.137
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.130
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.129
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.127
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.117
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.105
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.104
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.103
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.