@matterbridge/core
Matterbridge core library
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): escape-html and express-rate-limit are well-established packages appropriate for a web-serving framework; addition is consistent with security hardening of the existing Express server. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Matterbridge core is an actively developed Matter protocol framework; 64 new source files reflects legitimate feature expansion (e.g., new behavior/cluster implementations), consistent with 122 versions in 75 days. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): glob is declared as a dependency and used in config/build tooling; phantom-dep finding is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:archiver | AI (phantom-deps): archiver is declared as a dependency and used in config/build tooling; phantom-dep finding is a stable false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Inflated semver is due to monorepo version sync; README link dump reflects project documentation. Not a spam/phishing package — 18.5k weekly downloads and 122 versions confirm legitimacy. | ai | |
| dependencies | unvetted-dep:node-ansi-logger | AI (dependencies): node-ansi-logger is the author's own logging utility, consistently used across the matterbridge ecosystem. | ai | |
| dependencies | unvetted-dep:node-persist-manager | AI (dependencies): node-persist-manager is the author's own persistence utility, consistently used across the matterbridge ecosystem. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @matterbridge/core is a legitimate scoped package for the Matterbridge smart home project, not a typosquat of 'cors'. The name similarity is coincidental; the package has 18.5k weekly downloads, SLSA provenance, and a well-established GitHub presence. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 3.8.0 | 12 / 0 | |
| 3.7.10 | 12 / 0 | |
| 3.7.9 | 12 / 0 | |
| 3.7.8 | 12 / 0 | |
| 3.7.7 | 12 / 0 | |
| 3.7.6 | 12 / 0 | |
| 3.7.5 | 12 / 0 | |
| 3.7.4 | 12 / 0 | |
| 3.7.2 | 10 / 0 | |
| 3.7.1 | 10 / 0 | |
| 3.7.0 | 10 / 0 | |
| 3.6.1 | 12 / 0 | |
| 3.6.0 | 12 / 0 | |
| 3.5.6 | 12 / 0 | |
| 3.5.5 | 12 / 0 | |
| 3.5.4 | 12 / 0 | |
| 3.5.3 | 12 / 0 |
v3.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.5
2 findingsPackage name '@matterbridge/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.