@fedify/vocab — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hongminhee

Keywords

FedifyActivityPubFediverse

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/vocab-_kw7FW7s.js	AI (source-diff): This is a tsdown-bundled build artifact. The 'obfuscation' is due to bundling/minification of node_modules into a single file, not malicious obfuscation. SLSA provenance attestation confirms CI/CD build integrity.	ai	2026/04/27
source-diff	obfuscated-file:dist/vocab-BEm3nS_O.js	AI (source-diff): This is a bundled build artifact (tsdown output) for the @fedify/vocab package. Long lines are from bundling, not obfuscation. Content is readable and imports known, legitimate dependencies.	ai	2026/04/27
source-diff	obfuscated-file:dist/vocab-DH_Ya-M_.js	AI (source-diff): Large bundled JS artifact from tsdown/rollup build pipeline; content is readable bundled code from known deps, not obfuscated. Hash-suffixed filename is standard bundler output. SLSA provenance confirms CI/CD origin.	ai	2026/04/27
phantom-deps	phantom-dep:multicodec	AI (phantom-deps): multicodec is a declared dependency bundled into the dist output; not directly imported in source but used transitively. Consistent with this package's bundling approach.	ai	2026/04/27
dependencies	unvetted-dep:jsonld	AI (dependencies): jsonld is a well-known JSON-LD processing library; its use is expected and appropriate for an ActivityPub vocabulary package that relies on JSON-LD semantics.	ai	2026/04/26
phantom-deps	phantom-dep:jsonld	AI (phantom-deps): jsonld is a well-known JSON-LD library; phantom flag reflects monorepo build config usage, not a risk.	ai	2026/04/25
dependencies	unvetted-dep:@fedify/webfinger	AI (dependencies): First-party sibling package within the Fedify monorepo; always published together at matching versions.	ai	2026/04/25
phantom-deps	phantom-dep:@multiformats/base-x	AI (phantom-deps): Declared for config/transitive use in monorepo; not a supply chain risk.	ai	2026/04/25
dependencies	unvetted-dep:@fedify/vocab-tools	AI (dependencies): First-party sibling package within the Fedify monorepo; always published together at matching versions.	ai	2026/04/25
dependencies	unvetted-dep:@fedify/vocab-runtime	AI (dependencies): First-party sibling package within the Fedify monorepo; always published together at matching versions.	ai	2026/04/25
phantom-deps	phantom-dep:pkijs	AI (phantom-deps): Declared in package.json for transitive/config use in this monorepo package; not a supply chain risk.	ai	2026/04/25
phantom-deps	phantom-dep:asn1js	AI (phantom-deps): Declared in package.json for transitive/config use in this monorepo package; not a supply chain risk.	ai	2026/04/25

Versions (showing 44 of 44)

Version	Deps	Published
2.2.5	11 / 6	2026-06-05
2.2.4	11 / 6	2026-06-04
2.2.3	11 / 6	2026-05-20
2.2.2	11 / 6	2026-05-15
2.2.1	11 / 6	2026-05-10
2.2.0	11 / 6	2026-04-28
2.1.16	11 / 6	2026-06-05
2.1.15	11 / 6	2026-06-04
2.1.14	11 / 6	2026-05-20
2.1.13	11 / 6	2026-05-15
2.1.12	11 / 6	2026-05-10
2.1.11	11 / 6	2026-04-27
2.1.10	11 / 6	2026-04-23
2.1.9	11 / 6	2026-04-22
2.1.8	11 / 6	2026-04-22
2.1.7	11 / 6	2026-04-21
2.1.6	11 / 6	2026-04-20
2.1.5	11 / 6	2026-04-08
2.1.4	11 / 6	2026-04-07
2.1.3	11 / 6	2026-03-31
2.1.2	11 / 6	2026-03-28
2.1.1	11 / 6	2026-03-26
2.1.0	11 / 6	2026-03-24
2.0.20	11 / 6	2026-06-05
2.0.19	11 / 6	2026-06-04
2.0.18	11 / 6	2026-05-20
2.0.17	11 / 6	2026-05-15
2.0.16	11 / 6	2026-05-10
2.0.15	11 / 6	2026-04-27
2.0.14	11 / 6	2026-04-23
2.0.13	11 / 6	2026-04-22
2.0.12	11 / 6	2026-04-08
2.0.11	11 / 6	2026-04-07
2.0.10	11 / 6	2026-03-31
2.0.9	11 / 6	2026-03-28
2.0.8	11 / 6	2026-03-26
2.0.7	11 / 6	2026-03-22
2.0.6	12 / 6	2026-03-18
2.0.5	12 / 6	2026-03-11
2.0.4	12 / 6	2026-03-11
2.0.3	12 / 6	2026-03-03
2.0.2	12 / 6	2026-02-26
2.0.1	12 / 6	2026-02-24
2.0.0	12 / 6	2026-02-22