@eventcatalog/core
<div align="center">
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Zod is a schema-validation library; phantom-dep pattern is expected for this use case. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used as a dynamic import() shim for pagefind; input is a controlled internal URL, not user-supplied code. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-tooltip | AI (phantom-deps): UI component referenced via config/re-export pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonpath-plus | AI (phantom-deps): Config-file reference pattern; stable false positive for this Astro-based framework package. | ai | |
| dependencies | unvetted-dep:@eventcatalog/visualiser | AI (dependencies): Same org scope (@eventcatalog); sibling package maintained by the same team. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Framework-level dep used in config/peer context; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Tailwind v4 is referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@radix-ui/react-context-menu | AI (phantom-deps): UI component referenced in config/barrel; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@tailwindcss/typography | AI (phantom-deps): Tailwind plugin referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): UI utility referenced in config/component context; stable false positive. | ai | |
| phantom-deps | phantom-dep:concurrently | AI (phantom-deps): Used in scripts context; stable false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large version jump (3.4.0→3.16.0) naturally adds many source files; SLSA provenance confirms CI build integrity. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are benign UI/markdown utilities consistent with EventCatalog's documented feature additions. | ai | |
| dependencies | unvetted-dep:astro-compress | AI (dependencies): Well-known astro compression plugin; stable dependency. | ai | |
| dependencies | unvetted-dep:astro-seo | AI (dependencies): Legitimate astro SEO integration; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:auth-astro | AI (dependencies): Legitimate astro auth integration; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@astrojs/rss | AI (dependencies): Official @astrojs scoped package; stable dependency. | ai | |
| dependencies | unvetted-dep:@astrojs/node | AI (dependencies): Official @astrojs scoped package; stable dependency. | ai | |
| dependencies | unvetted-dep:remark-comment | AI (dependencies): Small remark plugin; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@eventcatalog/sdk | AI (dependencies): Same org scope as this package; stable dependency. | ai | |
| dependencies | unvetted-dep:@eventcatalog/linter | AI (dependencies): Same org scope as this package; stable dependency. | ai | |
| dependencies | unvetted-dep:@eventcatalog/license | AI (dependencies): Same org scope as this package; stable dependency. | ai | |
| dependencies | unvetted-dep:@eventcatalog/visualizer | AI (dependencies): Same org scope as this package; stable dependency. | ai | |
| dependencies | unvetted-dep:@asyncapi/react-component | AI (dependencies): Official @asyncapi scoped package; stable dependency. | ai | |
| dependencies | unvetted-dep:@eventcatalog/generator-ai | AI (dependencies): Same org scope as this package; stable dependency. | ai | |
| phantom-deps | phantom-dep:@asyncapi/avro-schema-parser | AI (phantom-deps): Referenced in config files; expected for this framework bundle. | ai | |
| phantom-deps | phantom-dep:@tanstack/react-query | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:date-fns | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rehype-raw | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tw-animate-css | AI (phantom-deps): Config-referenced dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pagefind | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:jsonpath | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:mermaid | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Same pattern — config-referenced dep in a large framework bundle. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Framework package; deps referenced in config/bundled assets rather than direct imports is expected pattern. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@asyncapi/parser | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@fontsource/inter | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@iconify-json/logos | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@eventcatalog/linter | AI (phantom-deps): Same org scope; expected peer usage pattern. | ai | |
| phantom-deps | phantom-dep:@mermaid-js/layout-elk | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@asyncapi/react-component | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:@eventcatalog/generator-ai | AI (phantom-deps): Same org scope; expected usage pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established framework core package; missing keywords/README code blocks are cosmetic, not indicative of spam. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:remark-gfm | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Same pattern. | ai | |
| phantom-deps | phantom-dep:astro-seo | AI (phantom-deps): Same pattern. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @eventcatalog/core is the canonical core package of the EventCatalog project, not a typosquat of cors. | ai |
Versions (showing 51 of 62)
| Version | Deps | Published |
|---|---|---|
| 3.44.2 | 87 / 22 | |
| 3.44.1 | 87 / 22 | |
| 3.44.0 | 87 / 22 | |
| 3.43.1 | 87 / 22 | |
| 3.43.0 | 87 / 22 | |
| 3.42.0 | 87 / 22 | |
| 3.41.4 | 87 / 22 | |
| 3.41.3 | 87 / 22 | |
| 3.41.2 | 88 / 22 | |
| 3.41.1 | 88 / 22 | |
| 3.41.0 | 88 / 22 | |
| 3.40.2 | 88 / 22 | |
| 3.40.1 | 88 / 22 | |
| 3.40.0 | 88 / 22 | |
| 3.39.6 | 88 / 22 | |
| 3.39.5 | 88 / 22 | |
| 3.39.4 | 88 / 22 | |
| 3.39.3 | 88 / 22 | |
| 3.39.2 | 88 / 22 | |
| 3.39.1 | 88 / 22 | |
| 3.38.0 | 88 / 22 | |
| 3.37.0 | 88 / 22 | |
| 3.36.5 | 88 / 22 | |
| 3.36.4 | 88 / 22 | |
| 3.36.3 | 88 / 22 | |
| 3.36.2 | 88 / 22 | |
| 3.36.1 | 88 / 22 | |
| 3.35.1 | 87 / 22 | |
| 3.35.0 | 87 / 22 | |
| 3.34.0 | 87 / 22 | |
| 3.33.0 | 87 / 22 | |
| 3.32.2 | 87 / 22 | |
| 3.32.1 | 87 / 22 | |
| 3.32.0 | 87 / 22 | |
| 3.31.2 | 87 / 22 | |
| 3.29.2 | 85 / 22 | |
| 3.29.1 | 85 / 22 | |
| 3.29.0 | 85 / 22 | |
| 3.28.4 | 85 / 22 | |
| 3.28.3 | 85 / 22 | |
| 3.28.2 | 85 / 22 | |
| 3.28.1 | 85 / 22 | |
| 3.28.0 | 85 / 22 | |
| 3.27.4 | 85 / 22 | |
| 3.27.3 | 85 / 22 | |
| 3.27.2 | 85 / 22 | |
| 3.27.1 | 85 / 23 | |
| 3.27.0 | 85 / 23 | |
| 3.20.3 | 84 / 23 | |
| 3.20.2 | 84 / 23 | |
| 3.18.0 | 84 / 23 |
v3.44.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.44.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.43.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.42.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.40.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.40.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.39.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.38.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.37.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.36.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.33.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.32.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.32.1
2 findingsPackage name '@eventcatalog/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.32.0
2 findingsPackage name '@eventcatalog/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.31.2
2 findingsPackage name '@eventcatalog/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.20.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.