@live-change/wysiwyg-frontend

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

m8

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:compression	AI (phantom-deps): Server-side dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@tiptap/extension-gapcursor	AI (phantom-deps): Tiptap extension dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@live-change/dao-websocket	AI (phantom-deps): Same-org dep used via config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@tiptap/extension-history	AI (phantom-deps): Tiptap extension dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:rollup-plugin-visualizer	AI (phantom-deps): Build tooling dep; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@tiptap/extension-code	AI (phantom-deps): Tiptap extension dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@live-change/dao-vue3	AI (phantom-deps): Same-org dep used via config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@codemirror/lang-css	AI (phantom-deps): Declared dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:vue3-scroll-border	AI (phantom-deps): Declared dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:codeceptjs-assert	AI (phantom-deps): Test tooling dep; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:vue-prism-editor	AI (phantom-deps): Declared dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:v-shared-element	AI (phantom-deps): Declared dep used in config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:prosemirror-view	AI (phantom-deps): Peer/config dep for Tiptap editor; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@live-change/dao	AI (phantom-deps): Same-org dep used via config; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:@live-change/cli	AI (phantom-deps): Same-org CLI tool used in scripts; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:get-port-sync	AI (phantom-deps): Dev/server tooling dep; stable false positive.	ai	2026/05/26
phantom-deps	phantom-dep:serve-static	AI (phantom-deps): Server-side dep used in config; stable false positive.	ai	2026/05/26
npm-metadata	no-description	AI (npm-metadata): Established package with ecosystem trust; missing description is low-risk.	ai	2026/05/26
phantom-deps	phantom-dep:prismjs	AI (phantom-deps): Config/build reference in established frontend package; stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:vue-meta	AI (phantom-deps): Config/build reference in established frontend package; stable pattern.	ai	2026/05/26
phantom-deps	phantom-dep:cross-env	AI (phantom-deps): Build script dependency; stable pattern in this package.	ai	2026/05/26
dependencies	unvetted-dep:@live-change/secret-code-service	AI (dependencies): Same-org service; expected dependency.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/prosemirror-service	AI (dependencies): Same-org service; expected for WYSIWYG editor package.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/vue3-components	AI (dependencies): Same-org UI components; expected dependency.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/session-service	AI (dependencies): Same-org service; expected dependency.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/dao-websocket	AI (dependencies): Same-org DAO package; expected dependency.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/framework	AI (dependencies): Same-org core framework; expected dependency.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/vue3-ssr	AI (dependencies): Same-org SSR package; expected dependency for this ecosystem.	ai	2026/05/14
dependencies	unvetted-dep:vue3-scroll-border	AI (dependencies): Small Vue 3 UI component; consistent with frontend package purpose.	ai	2026/05/14
dependencies	unvetted-dep:codeceptjs-assert	AI (dependencies): Test utility; consistent with e2e testing setup in this package.	ai	2026/05/14
dependencies	unvetted-dep:vue-prism-editor	AI (dependencies): Known Vue code editor component; consistent with WYSIWYG frontend purpose.	ai	2026/05/14
dependencies	unvetted-dep:v-shared-element	AI (dependencies): Known Vue 3 shared element transition library; stable dep.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/cli	AI (dependencies): Same-org @live-change tooling; consistent across all versions.	ai	2026/05/14
dependencies	unvetted-dep:get-port-sync	AI (dependencies): Small utility used in dev server scripts; consistent with package purpose.	ai	2026/05/14
dependencies	unvetted-dep:vue-meta	AI (dependencies): Legitimate Vue meta plugin; stable dependency for this frontend package.	ai	2026/05/14
bogus-package	bogus-package	AI (bogus-package): App/demo package in a large monorepo ecosystem; missing metadata is expected, not a spam indicator.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/password-authentication-service	AI (dependencies): Same-org auth service; expected dependency for this app package.	ai	2026/05/14
dependencies	unvetted-dep:@live-change/secret-link-service	AI (dependencies): Same-org service; expected dependency.	ai	2026/05/14