@exodus/xqa
AI-powered QA agent CLI for Exodus applications.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/xqa.cjs | AI (source-diff): Encoded string is the llhttp WASM binary from undici — a standard bundled WebAssembly payload, not malicious. | ai | |
| phantom-deps | phantom-dep:jiti | AI (phantom-deps): jiti is a declared runtime dep used as a config loader; phantom-dep heuristic fires because it's not directly imported in analyzed source. | ai | |
| phantom-deps | phantom-dep:@mobilenext/mobile-mcp | AI (phantom-deps): Declared as runtime dep but not directly imported; used as a tool/config dependency, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ulid | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| phantom-deps | phantom-dep:sharp | AI (phantom-deps): sharp is a known implicit/binary dep; pkg assets config confirms intentional bundling. | ai | |
| phantom-deps | phantom-dep:fast-glob | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| typosquat | typosquat.levenshtein:koa | AI (typosquat): Scoped @exodus package; not a typosquat of koa — edit distance match is coincidental. | ai | |
| phantom-deps | phantom-dep:ajv-formats | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| phantom-deps | phantom-dep:gray-matter | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| phantom-deps | phantom-dep:@octokit/rest | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @exodus package; not a typosquat of qs — edit distance match is coincidental. | ai | |
| phantom-deps | phantom-dep:ajv | AI (phantom-deps): CLI tool bundles deps via esbuild; direct imports not expected in source. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 11.3.0 | 8 / 28 | |
| 11.2.0 | 8 / 28 | |
| 11.1.0 | 8 / 28 | |
| 11.0.0 | 8 / 27 | |
| 10.2.0 | 8 / 28 | |
| 10.1.0 | 8 / 28 | |
| 10.0.0 | 8 / 28 | |
| 9.4.0 | 8 / 28 | |
| 9.3.1 | 8 / 28 | |
| 9.3.0 | 8 / 28 | |
| 9.2.2 | 8 / 28 | |
| 9.2.1 | 8 / 28 | |
| 9.2.0 | 8 / 28 | |
| 9.1.0 | 8 / 28 | |
| 9.0.1 | 8 / 28 | |
| 9.0.0 | 8 / 28 | |
| 8.6.0 | 8 / 28 | |
| 8.5.1 | 8 / 28 | |
| 8.5.0 | 8 / 28 | |
| 8.4.0 | 8 / 27 | |
| 8.3.0 | 8 / 27 | |
| 8.2.2 | 8 / 27 | |
| 8.2.1 | 8 / 27 | |
| 8.2.0 | 8 / 27 | |
| 8.1.0 | 8 / 27 | |
| 8.0.0 | 8 / 27 | |
| 7.1.0 | 8 / 28 | |
| 7.0.0 | 8 / 28 | |
| 6.0.0 | 9 / 28 | |
| 5.5.0 | 8 / 25 | |
| 5.4.0 | 8 / 25 | |
| 1.1.0 | 4 / 18 | |
| 1.0.0 | 4 / 18 |
v11.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.