@hed-hog/core
```markdown # @hed-hog/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@hed-hog/api-mail | AI (dependencies): First-party sibling package from same publisher with strong approval track record. | ai | |
| dependencies | unvetted-dep:@hed-hog/api-types | AI (dependencies): First-party sibling package from same publisher with strong approval track record. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a well-known templating library; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): axios is a declared runtime dep used via @nestjs/axios; phantom-dep heuristic false positive. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used solely to dynamically import playwright module to avoid hard require; not user-controlled input. | ai | |
| phantom-deps | phantom-dep:playwright | AI (phantom-deps): Playwright is loaded via dynamic import wrapper; not directly imported but legitimately used. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @hed-hog/core is a NestJS framework core module, not a typosquat of cors. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): jsonwebtoken referenced in config files; stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Used to decode a TOTP secret before decryption — standard crypto pattern, not obfuscation. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding of AES-GCM salt/IV/authTag — standard crypto pattern in security.service.ts. | ai | |
| phantom-deps | phantom-dep:sharp | AI (phantom-deps): sharp is a known runtime/binary implicit dep; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:multer | AI (phantom-deps): multer referenced in config files; phantom-dep heuristic is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:png-to-ico | AI (phantom-deps): png-to-ico referenced in config files; stable false positive for this package. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 0.0.362 | 39 / 7 | |
| 0.0.358 | 35 / 5 | |
| 0.0.353 | 34 / 5 | |
| 0.0.351 | 34 / 5 | |
| 0.0.332 | 33 / 5 | |
| 0.0.329 | 33 / 5 | |
| 0.0.321 | 32 / 5 | |
| 0.0.319 | 32 / 5 | |
| 0.0.316 | 32 / 5 | |
| 0.0.314 | 32 / 5 | |
| 0.0.312 | 32 / 5 | |
| 0.0.310 | 32 / 5 | |
| 0.0.309 | 32 / 5 | |
| 0.0.306 | 32 / 5 | |
| 0.0.296 | 32 / 5 | |
| 0.0.292 | 32 / 5 | |
| 0.0.193 | 31 / 5 | |
| 0.0.175 | 31 / 5 | |
| 0.0.174 | 31 / 5 | |
| 0.0.171 | 31 / 5 | |
| 0.0.170 | 31 / 5 | |
| 0.0.165 | 31 / 5 | |
| 0.0.124 | 31 / 5 | |
| 0.0.111 | 31 / 5 |
v0.0.362
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.358
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.353
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.351
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.332
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.329
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.321
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.319
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.316
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.314
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.312
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.310
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.309
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.296
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.292
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.193
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.175
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.174
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.171
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.170
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.165
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.124
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.111
2 findingsPackage name '@hed-hog/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.