@jbrowse/img
Static exports of JBrowse 2 rendering.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:canvas | AI (dependencies): canvas is a well-known native Node.js binding used for server-side rendering; expected for a genomics image export tool. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long-lived JBrowse org package with trusted publisher history; dormancy likely reflects project cadence, not takeover. | ai | |
| phantom-deps | phantom-dep:jsdom | AI (phantom-deps): jsdom used as headless DOM environment for rendering; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:canvas | AI (phantom-deps): canvas is a runtime rendering dep for this CLI image-export tool; loaded dynamically. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): CLI tool; yargs used in bin entry point, may not be statically detected. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): Network fetch for genome data; runtime usage pattern for this tool. | ai | |
| phantom-deps | phantom-dep:tmp | AI (phantom-deps): Temp file handling for image export; runtime usage. | ai | |
| phantom-deps | phantom-dep:@jbrowse/plugin-linear-genome-view | AI (phantom-deps): Same-org JBrowse plugin loaded dynamically; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jbrowse/react-linear-genome-view2 | AI (phantom-deps): Same-org JBrowse component; dynamically loaded renderer. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): react is a runtime peer/dependency used by the JBrowse React components; phantom-dep heuristic misfires here. | ai | |
| phantom-deps | phantom-dep:@types/jsdom | AI (phantom-deps): Type-only package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/yargs | AI (phantom-deps): Type-only package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/cache | AI (phantom-deps): Emotion packages used by JBrowse components; stable false positive. | ai | |
| phantom-deps | phantom-dep:@emotion/react | AI (phantom-deps): Emotion packages used by JBrowse components; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): react-dom is a runtime peer/dependency; stable false positive for this package. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped JBrowse package; Levenshtein match to 'pg' is a false positive with no semantic resemblance. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 4.3.0 | 12 / 0 | |
| 4.2.1 | 12 / 0 | |
| 4.1.15 | 12 / 0 | |
| 4.1.11 | 12 / 0 | |
| 4.1.9 | 12 / 0 | |
| 4.1.5 | 12 / 0 | |
| 4.0.1 | 13 / 0 | |
| 4.0.0 | 13 / 0 |
v4.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.