@live-change/flow-frontend
3
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
m8
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@live-change/vue3-ssr | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:primevue | AI (phantom-deps): UI framework declared for config/peer use; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:primeflex | AI (phantom-deps): CSS utility declared for config/peer use; stable false positive. | ai | |
| phantom-deps | phantom-dep:primeicons | AI (phantom-deps): Icon library declared for config/peer use; stable false positive. | ai | |
| phantom-deps | phantom-dep:cross-env | AI (phantom-deps): Used in npm scripts, not imported; stable false positive. | ai | |
| phantom-deps | phantom-dep:compression | AI (phantom-deps): Server middleware declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:@vueuse/core | AI (phantom-deps): Vue composables declared for config/peer use; stable false positive. | ai | |
| phantom-deps | phantom-dep:serve-static | AI (phantom-deps): Server middleware declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:get-port-sync | AI (phantom-deps): Dev tooling declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/cli | AI (phantom-deps): Same-org CLI tool used in npm scripts; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/dao | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:codeceptjs-assert | AI (phantom-deps): Test tooling declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:vue3-scroll-border | AI (phantom-deps): UI component declared for config/peer use; stable false positive. | ai | |
| phantom-deps | phantom-dep:serialize-javascript | AI (phantom-deps): Declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/dao-vue3 | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-visualizer | AI (phantom-deps): Build tool declared for config use; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/user-service | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/dao-websocket | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@live-change/user-frontend | AI (phantom-deps): Same-org sibling dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-node-builtins | AI (phantom-deps): Build tool declared for config use; stable false positive. | ai |
v0.9.187
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.186
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.