@ecan-bi/pivot-table — Greenflagged

### 项目开发指南 ``` // 下载项目依赖（node_modules） yarn install --registry=https://registry.npm.taobao.org

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

huangjunhaozhanxiaohua

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Org-scoped internal BI component; lack of provenance is consistent across all versions and not a risk indicator here.	ai	2026/05/18
phantom-deps	phantom-dep:@ecan-bi/datav	AI (phantom-deps): Same-org dependency; phantom detection is a false positive for this package's build pattern.	ai	2026/04/29
phantom-deps	phantom-dep:@visactor/vtable	AI (phantom-deps): Referenced in config files only; consistent with bundled/peer usage pattern across versions.	ai	2026/04/29
phantom-deps	phantom-dep:@visactor/vtable-export	AI (phantom-deps): Referenced in config files only; consistent with bundled/peer usage pattern across versions.	ai	2026/04/29
phantom-deps	phantom-dep:monaco-editor	AI (phantom-deps): Listed in both dependencies and devDependencies; config-file reference is a stable false positive.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
1.1.8	5 / 31	2026-04-27
1.1.7	5 / 31	2026-04-27
1.1.6	5 / 31	2026-04-23
1.1.5	5 / 31	2026-04-21
1.1.4	5 / 31	2026-03-31
1.1.3	5 / 31	2026-03-31