@formio/js
JavaScript powered Forms with JSON Form Builder
3
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
edwinancianitravistlane-formiotanyagashtoldalexeynikipelaubrendanbondjohnformio
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package with 686 versions; provenance not historically used by this package. | ai | |
| phantom-deps | phantom-dep:quill | AI (phantom-deps): Quill is loaded dynamically/lazily in form builder; phantom-dep is a false positive here. | ai | |
| phantom-deps | phantom-dep:vanilla-picker | AI (phantom-deps): Color picker loaded on demand; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:browser-cookies | AI (phantom-deps): Used conditionally in auth flows; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:dialog-polyfill | AI (phantom-deps): Polyfill loaded conditionally; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:fast-deep-equal | AI (phantom-deps): Utility used internally; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:fast-json-patch | AI (phantom-deps): Used for JSON patch operations; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:core-js | AI (phantom-deps): Known implicit polyfill dependency; phantom-dep false positive. | ai | |
| dependencies | unvetted-dep:quill | AI (dependencies): Quill is a well-known rich-text editor; expected dep for a form builder. | ai | |
| dependencies | unvetted-dep:browser-cookies | AI (dependencies): Small, well-known cookie utility; appropriate for a browser form SDK. | ai | |
| dependencies | unvetted-dep:dom-autoscroller | AI (dependencies): Drag-and-drop helper; consistent with form builder drag functionality. | ai | |
| dependencies | unvetted-dep:@formio/text-mask-addons | AI (dependencies): First-party @formio scoped package; stable for this package. | ai | |
| dependencies | unvetted-dep:@formio/vanilla-text-mask | AI (dependencies): First-party @formio scoped package; stable for this package. | ai | |
| phantom-deps | phantom-dep:idb | AI (phantom-deps): idb used for offline storage; dynamic import pattern triggers phantom-dep heuristic. | ai | |
| phantom-deps | phantom-dep:bootstrap | AI (phantom-deps): Bootstrap referenced in config/CSS; phantom-dep is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:jwt-decode | AI (phantom-deps): jwt-decode used conditionally; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:json-logic-js | AI (phantom-deps): json-logic-js used for conditional logic evaluation; dynamic usage triggers heuristic. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'pg'. | ai | |
| typosquat | typosquat.levenshtein:rxjs | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'rxjs'. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'joi'. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'ajv'. | ai | |
| typosquat | typosquat.levenshtein:jest | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'jest'. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): @formio/js is a scoped package for the Form.io SDK, not a typosquat of 'qs'. | ai |
v5.3.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.3.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.