@finos/legend-vscode-extension-dependencies
Legend dependencies for vscode extension
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:lib/bundles/bundle.cjs.js | AI (source-diff): Long encoded strings are minified/bundled rollup output from React Router; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-art | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-lego | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-graph | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-shared | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-storage | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-data-cube | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-application | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/react | AI (phantom-deps): Type-only framework dep; stable FP for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-application-studio | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-extension-dsl-diagram | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@finos/legend-application-query-bootstrap | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): React is a peer/bundled dep for a UI component package; phantom-dep heuristic is a stable FP here. | ai | |
| phantom-deps | phantom-dep:@finos/legend-lego | AI (phantom-deps): Same-org sibling; phantom-dep heuristic is a stable FP here. | ai | |
| phantom-deps | phantom-dep:@finos/legend-application-query-bootstrap | AI (phantom-deps): Same-org sibling; phantom-dep heuristic is a stable FP here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Aggregator/bundle package in a monorepo; sparse README and no keywords are expected for this type of package. | ai | |
| dependencies | unvetted-dep:@finos/legend-query-builder | AI (dependencies): Same-org monorepo sibling; stable false positive for this package. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 4.0.277 | 13 / 19 | |
| 4.0.276 | 13 / 19 | |
| 4.0.275 | 13 / 19 | |
| 4.0.273 | 13 / 19 | |
| 4.0.272 | 13 / 19 | |
| 4.0.271 | 13 / 19 | |
| 4.0.270 | 13 / 19 | |
| 4.0.269 | 13 / 19 | |
| 4.0.268 | 13 / 19 | |
| 4.0.267 | 13 / 19 | |
| 4.0.266 | 13 / 19 | |
| 4.0.265 | 13 / 19 | |
| 4.0.264 | 13 / 19 | |
| 4.0.263 | 13 / 19 | |
| 4.0.262 | 13 / 19 | |
| 4.0.261 | 13 / 19 | |
| 4.0.260 | 13 / 19 | |
| 4.0.259 | 13 / 19 | |
| 4.0.258 | 13 / 19 | |
| 4.0.257 | 13 / 19 | |
| 4.0.256 | 13 / 19 | |
| 4.0.255 | 13 / 19 | |
| 4.0.254 | 13 / 19 |
v4.0.277
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.276
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.275
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.273
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.272
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.271
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.270
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.269
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.268
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.267
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.266
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.265
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.264
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.263
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.262
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.261
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.260
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.258
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.257
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.256
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.255
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.254
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.