@equinor/videx-3d
React 3D component library designed for sub surface visualizations in the browser
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:use-zustand | AI (dependencies): Legitimate zustand companion library; no malware indicators, stable dependency for this package. | ai | |
| dependencies | unvetted-dep:curve-interpolator | AI (dependencies): Standard math/geometry utility; no malware indicators, stable dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): Equinor org package; missing provenance is common and not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:use-zustand | AI (phantom-deps): Declared runtime dep in a bundled ESM library; phantom-dep heuristic fires on bundled output, not a real concern. | ai | |
| phantom-deps | phantom-dep:lodash.filter | AI (phantom-deps): Declared runtime dep; phantom-dep heuristic is a false positive for bundled library output. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 1.1.0 | 19 / 48 | |
| 1.0.3 | 19 / 48 | |
| 1.0.2 | 19 / 48 | |
| 1.0.0 | 19 / 48 |
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.