@knapsack/types
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/user-roles.mjs | AI (source-diff): ESM variant of user-roles.js; standard build output. | ai | |
| source-diff | obfuscated-file:dist/ui-config.js | AI (source-diff): Minified superstruct schema; standard build output. | ai | |
| source-diff | obfuscated-file:dist/ui-config.mjs | AI (source-diff): ESM variant of ui-config.js; standard build output. | ai | |
| source-diff | obfuscated-file:dist/user-roles.js | AI (source-diff): Minified user-role constants; plainly readable domain data. | ai | |
| source-diff | obfuscated-file:dist/renderers.js | AI (source-diff): Standard tsup/esbuild minified output; readable domain logic, no obfuscation. | ai | |
| source-diff | obfuscated-file:dist/renderers.mjs | AI (source-diff): Standard tsup/esbuild minified output; ESM variant of renderers.js. | ai | |
| source-diff | obfuscated-file:dist/renderers.vitest.js | AI (source-diff): Vitest test bundle with bundled source-map codec; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/renderers.vitest.mjs | AI (source-diff): ESM variant of renderers.vitest.js; same bundled vitest/source-map content. | ai | |
| source-diff | net-exec-file:dist/renderers.vitest.js | AI (source-diff): Network+exec pattern is from bundled vitest/source-map-codec internals, not a dropper. | ai | |
| source-diff | net-exec-file:dist/renderers.vitest.mjs | AI (source-diff): Same as .js variant; false positive from bundled test tooling. | ai | |
| source-diff | obfuscated-file:dist/nav-customization-config.js | AI (source-diff): Minified superstruct/color-string schema definitions; standard build output. | ai | |
| source-diff | obfuscated-file:dist/typography-config.js | AI (source-diff): Minified superstruct schema; standard build output. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo internal package; missing description is consistent across all versions. | ai | |
| dependencies | unvetted-dep:@knapsack/utils | AI (dependencies): Sibling package in the same monorepo at the same version; not an external unvetted dependency. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal monorepo types package; sparse metadata is expected, not a spam indicator. | ai |
Versions (showing 51 of 61)
| Version | Deps | Published |
|---|---|---|
| 4.93.0 | 6 / 15 | |
| 4.92.24 | 6 / 15 | |
| 4.92.23 | 6 / 15 | |
| 4.92.22 | 6 / 17 | |
| 4.92.21 | 6 / 17 | |
| 4.92.20 | 6 / 17 | |
| 4.92.19 | 6 / 17 | |
| 4.92.18 | 6 / 17 | |
| 4.92.17 | 6 / 17 | |
| 4.92.16 | 6 / 17 | |
| 4.92.15 | 6 / 17 | |
| 4.92.14 | 6 / 17 | |
| 4.92.13 | 6 / 17 | |
| 4.92.12 | 6 / 17 | |
| 4.92.11 | 6 / 17 | |
| 4.92.10 | 6 / 17 | |
| 4.92.9 | 6 / 17 | |
| 4.92.8 | 6 / 17 | |
| 4.92.7 | 6 / 17 | |
| 4.92.6 | 6 / 17 | |
| 4.92.5 | 6 / 17 | |
| 4.92.4 | 6 / 17 | |
| 4.92.3 | 6 / 17 | |
| 4.92.2 | 6 / 17 | |
| 4.85.0 | 6 / 17 | |
| 4.84.0 | 6 / 17 | |
| 4.83.0 | 6 / 17 | |
| 4.82.3 | 6 / 17 | |
| 4.82.2 | 5 / 17 | |
| 4.82.1 | 5 / 17 | |
| 4.82.0 | 5 / 17 | |
| 4.81.5 | 5 / 17 | |
| 4.81.4 | 5 / 17 | |
| 4.81.3 | 5 / 17 | |
| 4.81.2 | 5 / 17 | |
| 4.81.1 | 5 / 17 | |
| 4.81.0 | 5 / 17 | |
| 4.80.20 | 5 / 17 | |
| 4.80.19 | 5 / 17 | |
| 4.80.18 | 5 / 17 | |
| 4.80.17 | 5 / 17 | |
| 4.80.16 | 5 / 17 | |
| 4.80.15 | 5 / 17 | |
| 4.80.14 | 5 / 17 | |
| 4.80.13 | 5 / 17 | |
| 4.80.12 | 5 / 17 | |
| 4.80.11 | 5 / 17 | |
| 4.80.10 | 5 / 17 | |
| 4.80.9 | 5 / 17 | |
| 4.80.8 | 5 / 17 | |
| 4.80.7 | 5 / 17 |
v4.93.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.92.3
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.92.2
13 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.85.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.84.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.83.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.82.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.82.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.82.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.82.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.81.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.80.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.