@hebcal/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/size-demo/dist/getHoliday.js | AI (source-diff): Rollup bundle artifact in size-demo directory; readable TS-compiled calendar logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/he.po.js | AI (source-diff): Hebrew translation dictionary; long lines are JSON-like data, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/size-demo/dist/parshiyot.js | AI (source-diff): Rollup bundle artifact in size-demo directory; same pattern as getHoliday.js. | ai | |
| source-diff | obfuscated-file:dist/size-demo/dist/sedra.js | AI (source-diff): Rollup bundle artifact in size-demo directory; same pattern as getHoliday.js. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a TypeScript runtime helper; used implicitly by compiled TS output, not directly imported. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @hebcal/core is a long-established Jewish calendar library; scoped name has no relation to the cors package. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 6.5.0 | 4 / 15 | |
| 6.4.1 | 4 / 15 | |
| 6.4.0 | 4 / 15 | |
| 6.3.3 | 4 / 15 | |
| 6.3.2 | 4 / 15 | |
| 6.3.1 | 4 / 15 | |
| 6.3.0 | 4 / 15 | |
| 6.2.0 | 4 / 14 | |
| 6.1.0 | 4 / 14 | |
| 6.0.8 | 5 / 15 | |
| 6.0.7 | 5 / 15 | |
| 6.0.6 | 5 / 15 | |
| 6.0.5 | 5 / 15 | |
| 6.0.4 | 5 / 15 | |
| 6.0.3 | 5 / 15 | |
| 6.0.2 | 5 / 15 | |
| 6.0.1 | 5 / 15 | |
| 6.0.0 | 5 / 15 |
v6.5.0
2 findingsPackage name '@hebcal/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.1
2 findingsPackage name '@hebcal/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
2 findingsPackage name '@hebcal/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
2 findingsPackage name '@hebcal/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.8
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.7
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.6
2 findingsPackage name '@hebcal/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.