← Home

@galacean/engine-core

npm Repository Homepage

A subpackage of `@galacean/engine`.

2
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

yiqiimchenjianchengkong.zxxeyworldwideyinjieruimeng.sugl3336563zhanyingweizhuxudongjohanzhumrkou47husongluzhuangjujiefeyabibi

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@galacean/engine-math AI (phantom-deps): Declared as runtime dependency in package.json; same-org scope, stable false positive for this package. ai
provenance slsa-provenance AI (provenance): Established Galacean engine monorepo publishes via CI with SLSA attestation; stable across versions. ai
bogus-package bogus-package AI (bogus-package): Core engine package in a large monorepo; sparse README and no keywords are expected for internal sub-packages. ai

Versions (showing 2 of 2)

Version Deps Published
1.6.13 1 / 1
1.6.8 1 / 1

v1.6.13

2 findings
HIGH Unclaimed maintainer email domain: yufangjun.com email-domain

Maintainer email '[email protected]' uses domain 'yufangjun.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.6.8

2 findings
HIGH Unclaimed maintainer email domain: yufangjun.com email-domain

Maintainer email '[email protected]' uses domain 'yufangjun.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.