@janelia-flyem/neuroglancer

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

neomorphicdocsavagetingzhao

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	url-dep:ikonate	AI (npm-metadata): ikonate is a known SVG icon library; SHA-pin is intentional supply-chain hygiene for this package.	ai	2026/05/26
npm-metadata	bundled-binaries	AI (npm-metadata): Python C-extension build artifacts (.o, .so) consistent with neuroglancer's documented Python bindings.	ai	2026/05/26
dependencies	unvetted-dep:ikonate	AI (dependencies): Same ikonate SHA-pin; stable false positive for this package.	ai	2026/05/26
semgrep	semgrep:new-function-constructor	AI (semgrep): Used for annotation serializer code-generation in neuroglancer's documented architecture.	ai	2026/05/26
phantom-deps	phantom-dep:esbuild	AI (phantom-deps): Build tool referenced in config scripts, not imported directly.	ai	2026/05/26
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Build tool; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/pako	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/lodash	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/gl-matrix	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/codemirror	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:svg-inline-loader	AI (phantom-deps): Webpack loader referenced in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@types/webpack-env	AI (phantom-deps): Type-only package; stable false positive.	ai	2026/05/26

Versions (showing 1 of 1)

Version	Deps	Published
2.37.5	17 / 34	2024-10-09

v2.37.5

3 findings

HIGH SHA-pinned github dependency: ikonate npm-metadata

Dependency 'ikonate' in `dependencies` points to 'github:mikolajdobrucki/ikonate#a86b4107c6ec717e7877f880a930d1ccf0b59d89' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

HIGH Bundled binary files (6) npm-metadata

Package contains compiled binaries that could be backdoors: • build/temp.macosx-10.9-x86_64-3.7/python/ext/src/_neuroglancer.o • build/temp.macosx-10.9-x86_64-3.7/python/ext/src/mesh_objects.o • build/temp.macosx-10.9-x86_64-3.7/python/ext/src/on_demand_object_mesh_generator.o • build/temp.macosx-10.9-x86_64-3.7/python/ext/src/openmesh_dependencies.o • build/temp.macosx-10.9-x86_64-3.7/python/ext/src/voxel_mesh_generator.o • build/lib.macosx-10.9-x86_64-3.7/neuroglancer/_neuroglancer.cpython-37m-darwin.so

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.