@hmcts/one-per-page
One question per page apps made easy
2
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
timja-hmctstimjajenkins-reform-hmctsplayfair0319thomast1906hmctsnpm
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@hapi/cryptiles | AI (phantom-deps): Direct dependency declared in package.json; used transitively through hapi ecosystem deps. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): Used transitively via config package; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:router | AI (phantom-deps): Declared as direct dep in package.json; phantom-dep heuristic may not detect indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:@hapi/hoek | AI (phantom-deps): Direct dependency declared in package.json; used transitively through hapi ecosystem deps. | ai | |
| phantom-deps | phantom-dep:sshpk | AI (phantom-deps): Listed in resolutions block for dependency pinning; not a direct import by design. | ai | |
| phantom-deps | phantom-dep:url-parse | AI (phantom-deps): Pinned in resolutions for security; not directly imported by this package. | ai | |
| phantom-deps | phantom-dep:nunjucks | AI (phantom-deps): nunjucks is a transitive dep of express-nunjucks; phantom-dep heuristic fires but it's legitimately used indirectly. | ai | |
| phantom-deps | phantom-dep:express-nunjucks | AI (phantom-deps): express-nunjucks is a declared runtime dep; phantom-dep heuristic is a false positive for this package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode is used for AES IV parsing in a standard crypto.createDecipheriv call — not obfuscation or payload hiding. | ai |
v7.0.0
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.