← Home

@live-change/upload-frontend

npm
12
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

m8

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:primevue AI (phantom-deps): Config-file reference in a Vue3 frontend package; stable false positive. ai
phantom-deps phantom-dep:cross-env AI (phantom-deps): Used in npm scripts; not directly imported in source. ai
phantom-deps phantom-dep:primeflex AI (phantom-deps): Config-file reference; stable false positive for this frontend package. ai
phantom-deps phantom-dep:primeicons AI (phantom-deps): Config-file reference; stable false positive for this frontend package. ai
phantom-deps phantom-dep:compression AI (phantom-deps): Server config reference; stable false positive. ai
phantom-deps phantom-dep:@vueuse/core AI (phantom-deps): Config-file reference; stable false positive for this frontend package. ai
phantom-deps phantom-dep:pretty-bytes AI (phantom-deps): Config-file reference; stable false positive. ai
phantom-deps phantom-dep:serve-static AI (phantom-deps): Server config reference; stable false positive. ai
phantom-deps phantom-dep:get-port-sync AI (phantom-deps): Config-file reference; stable false positive. ai
phantom-deps phantom-dep:@live-change/cli AI (phantom-deps): Same-org dep used in scripts; stable false positive. ai
phantom-deps phantom-dep:@live-change/dao AI (phantom-deps): Same-org dep; stable false positive. ai
phantom-deps phantom-dep:v-shared-element AI (phantom-deps): Config-file reference; stable false positive. ai
phantom-deps phantom-dep:codeceptjs-assert AI (phantom-deps): Test config reference; stable false positive. ai
phantom-deps phantom-dep:vue3-scroll-border AI (phantom-deps): Config-file reference; stable false positive. ai
phantom-deps phantom-dep:serialize-javascript AI (phantom-deps): Config-file reference; stable false positive. ai
phantom-deps phantom-dep:@live-change/dao-vue3 AI (phantom-deps): Same-org dep; stable false positive. ai
phantom-deps phantom-dep:rollup-plugin-visualizer AI (phantom-deps): Build config reference; stable false positive. ai
phantom-deps phantom-dep:@live-change/user-service AI (phantom-deps): Same-org dep; stable false positive. ai
phantom-deps phantom-dep:@live-change/dao-websocket AI (phantom-deps): Same-org dep; stable false positive. ai
phantom-deps phantom-dep:rollup-plugin-node-builtins AI (phantom-deps): Build config reference; stable false positive. ai
bogus-package bogus-package AI (bogus-package): Established org package; missing metadata is a style choice, not a spam indicator. ai
provenance no-provenance AI (provenance): No provenance across all 439 versions; org-wide pattern, not a per-version concern. ai

Versions (showing 12 of 12)

Version Deps Published
0.9.209 30 / 7
0.9.208 30 / 7
0.9.207 30 / 7
0.9.206 30 / 7
0.9.205 30 / 7
0.9.204 30 / 7
0.9.203 30 / 7
0.9.194 30 / 7
0.9.192 30 / 7
0.9.179 30 / 7
0.9.161 30 / 7
0.9.136 30 / 7

v0.9.209

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.208

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.207

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.206

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.205

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.203

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.194

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.192

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.179

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.161

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.136

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.