← Home

@meta2d/chart-diagram

npm Repository Homepage
8
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

alsmileanzhusen

Keywords

meta2dechartscanvashighcharts

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@types/echarts AI (dependencies): Type-only declaration package; no runtime risk. ai
dependencies unvetted-dep:@types/zrender AI (dependencies): Type-only declaration package; no runtime risk. ai
semgrep semgrep:new-function-constructor AI (semgrep): Intentional feature: executes user-supplied ECharts init scripts in a diagramming tool context. ai
semgrep semgrep:eval-usage AI (semgrep): Used to deserialize function strings in chart config objects — expected pattern for this library. ai
phantom-deps phantom-dep:@types/echarts AI (phantom-deps): Type-only dependency; not directly imported at runtime by convention. ai
phantom-deps phantom-dep:@types/zrender AI (phantom-deps): Type-only dependency; not directly imported at runtime by convention. ai

Versions (showing 8 of 8)

Version Deps Published
1.0.23 2 / 1
1.0.22 2 / 1
1.0.20 2 / 1
1.0.19 2 / 1
1.0.18 2 / 1
1.0.16 2 / 1
1.0.15 2 / 1
1.0.14 2 / 1

v1.0.23

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.22

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.18

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.16

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.15

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.