@everymatrix/player-account-biometrics
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-BIcCF2G5.js | AI (source-diff): Standard Svelte/Vite minified build output; not malicious obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-Cbfj0B1A.js | AI (source-diff): Standard Svelte/Vite minified build output; not malicious obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-CAMqT8lN.js | AI (source-diff): Standard minified Svelte component bundle output; stable pattern for this scoped package. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-DCy7TM2N.cjs | AI (source-diff): Standard minified Svelte component bundle output; stable pattern for this scoped package. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-DR8eeCZD.js | AI (source-diff): Standard minified Svelte component bundle output; stable pattern for this scoped package. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-D2hlVt5i.js | AI (source-diff): Standard Svelte/Vite minified bundle output; consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-BuxKbLCx.cjs | AI (source-diff): Standard Svelte/Vite minified bundle output; consistent with this package's build pattern across 453 versions. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-Cnwnu-pX.js | AI (source-diff): Standard Svelte/Vite minified bundle output; consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-Dva-cY-t.js | AI (source-diff): Standard Vite/Rollup minified Svelte bundle output; consistent with this package's build pattern across 453 versions. | ai | |
| source-diff | obfuscated-file:components/PlayerAccountBiometrics-CDI1PYvo.js | AI (source-diff): Standard Vite/Rollup minified Svelte bundle output; consistent with this package's build pattern across 453 versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal component package with no public repo/deps; consistent pattern across 428 versions in this org's registry. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Org-internal component; missing description is a stable pattern for this package family. | ai |
Versions (showing 7 of 263)
| Version | Deps | Published |
|---|---|---|
| 1.68.0 | 0 / 0 | |
| 1.67.3 | 0 / 0 | |
| 1.67.0 | 0 / 0 | |
| 1.66.2 | 0 / 0 | |
| 1.66.1 | 0 / 0 | |
| 1.66.0 | 0 / 0 | |
| 1.65.3 | 0 / 0 |
v1.68.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.67.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.67.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.66.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.65.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.