← Home

@hmcts/rpx-xui-node-lib

npm Repository Homepage

Common nodejs library components for XUI

6
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

timja-hmctstimjajenkins-reform-hmctsplayfair0319thomast1906hmctsnpm

Keywords

XUInodeauthentication

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:deepmerge AI (phantom-deps): deepmerge is a runtime dep used in config; phantom-dep heuristic is a false positive here. ai
dependencies unvetted-dep:jest-mock-axios AI (dependencies): jest-mock-axios is a standard test utility; stable false positive for this package. ai
dependencies unvetted-dep:session-file-store AI (dependencies): session-file-store is a well-known express-session backend; no malware indicators. ai
phantom-deps phantom-dep:@hapi/joi AI (phantom-deps): Dual joi/@hapi/joi pattern common in this codebase; stable false positive. ai
phantom-deps phantom-dep:jest-mock-axios AI (phantom-deps): Listed as runtime dep but used via jest config; stable false positive for this package. ai
phantom-deps phantom-dep:jest-ts-auto-mock AI (phantom-deps): Used via jest transform config, not direct import; stable false positive. ai
phantom-deps phantom-dep:caller-path AI (phantom-deps): caller-path is explicitly listed as a runtime dependency in package.json; phantom-dep is a false positive for this package. ai

Versions (showing 6 of 6)

Version Deps Published
2.30.13 15 / 33
2.30.12 16 / 39
2.30.10 19 / 38
2.30.9 18 / 37
2.30.8 18 / 37
2.30.7 18 / 37

v2.30.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.30.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.30.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.30.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.30.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.