@finos/legend-extension-dsl-data-product
Legend data product viewer core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Framework-scoped package loaded by convention in React projects. | ai | |
| phantom-deps | phantom-dep:@types/react-dom | AI (phantom-deps): Framework-scoped package loaded by convention in React projects. | ai | |
| phantom-deps | phantom-dep:@testing-library/dom | AI (phantom-deps): Testing framework package loaded by convention. | ai | |
| phantom-deps | phantom-dep:@testing-library/react | AI (phantom-deps): Testing framework package loaded by convention. | ai | |
| phantom-deps | phantom-dep:node-diff3 | AI (phantom-deps): Config-referenced dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:oidc-client-ts | AI (phantom-deps): Config-referenced dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-shared | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-storage | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-application | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-code-editor | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-server-depot | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-query-builder | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-server-lakehouse | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:serializr | AI (dependencies): Well-known serialization library; stable dependency for this FINOS package. | ai | |
| dependencies | unvetted-dep:@finos/legend-extension-dsl-diagram | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| phantom-deps | phantom-dep:yaml | AI (phantom-deps): Monorepo config-referenced dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Monorepo config-referenced dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-dnd | AI (phantom-deps): Monorepo config-referenced dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Monorepo config-referenced dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:mobx-utils | AI (phantom-deps): Monorepo config-referenced dep; phantom-dep heuristic false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-server-marketplace | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:node-diff3 | AI (dependencies): Standard diff library; expected dependency for this FINOS package. | ai | |
| dependencies | unvetted-dep:@finos/legend-art | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:@finos/legend-lego | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai | |
| dependencies | unvetted-dep:react-oidc-context | AI (dependencies): Standard OIDC React library; expected for auth flows in this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-graph | AI (dependencies): Sibling FINOS monorepo package; stable dependency pattern. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.0.87 | 30 / 9 | |
| 0.0.86 | 30 / 9 | |
| 0.0.85 | 30 / 9 | |
| 0.0.84 | 30 / 9 | |
| 0.0.83 | 30 / 9 | |
| 0.0.82 | 30 / 9 | |
| 0.0.81 | 30 / 9 | |
| 0.0.80 | 30 / 9 | |
| 0.0.79 | 30 / 9 | |
| 0.0.78 | 30 / 9 | |
| 0.0.77 | 30 / 9 | |
| 0.0.76 | 30 / 9 | |
| 0.0.75 | 30 / 9 | |
| 0.0.74 | 30 / 9 | |
| 0.0.73 | 30 / 9 | |
| 0.0.72 | 30 / 9 | |
| 0.0.71 | 30 / 9 | |
| 0.0.70 | 30 / 9 | |
| 0.0.69 | 30 / 9 | |
| 0.0.68 | 30 / 9 | |
| 0.0.17 | 28 / 9 | |
| 0.0.16 | 28 / 9 | |
| 0.0.15 | 28 / 9 | |
| 0.0.14 | 28 / 9 | |
| 0.0.13 | 28 / 9 | |
| 0.0.12 | 28 / 9 | |
| 0.0.11 | 28 / 9 | |
| 0.0.10 | 28 / 9 | |
| 0.0.9 | 28 / 9 | |
| 0.0.8 | 28 / 9 | |
| 0.0.7 | 28 / 9 | |
| 0.0.6 | 28 / 9 | |
| 0.0.5 | 28 / 9 | |
| 0.0.4 | 28 / 9 | |
| 0.0.3 | 28 / 9 | |
| 0.0.2 | 28 / 9 |
v0.0.87
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.86
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.85
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.84
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.83
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.82
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.81
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.80
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.79
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.78
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.77
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.76
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.75
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.74
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.73
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.70
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.69
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.68
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.