@microsoft/omnichannel-chat-widget
Microsoft Omnichannel Chat Widget
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established Microsoft package; provenance absence is consistent across its 458-version history. | ai | |
| dependencies | unvetted-dep:@microsoft/applicationinsights-web | AI (dependencies): Microsoft's own telemetry SDK; expected for a Microsoft chat widget. | ai | |
| dependencies | unvetted-dep:simple-update-in | AI (dependencies): Immutable update utility; expected for state management in chat widget. | ai | |
| dependencies | unvetted-dep:abort-controller-es5 | AI (dependencies): ES5 polyfill for abort-controller; expected for chat SDK compatibility. | ai | |
| dependencies | unvetted-dep:p-defer-es5 | AI (dependencies): ES5 polyfill for p-defer; expected for chat SDK compatibility. | ai | |
| dependencies | unvetted-dep:markdown-it-attrs-es5 | AI (dependencies): ES5 polyfill variant of markdown-it-attrs; expected for chat widget compatibility. | ai | |
| dependencies | unvetted-dep:markdown-it-for-inline | AI (dependencies): markdown-it plugin; expected for chat widget markdown rendering. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): Standard markdown rendering library; expected dependency for a chat widget. | ai | |
| dependencies | unvetted-dep:slack-markdown-it | AI (dependencies): Slack-flavored markdown plugin; expected for chat widget formatting. | ai | |
| source-diff | encoded-string-file:lib/cjs/assets/Audios.js | AI (source-diff): Encoded string is a data:audio/mpeg base64 URI — consistent with an embedded notification sound asset, not obfuscated payload. | ai | |
| phantom-deps | phantom-dep:p-defer-es5 | AI (phantom-deps): Declared in resolutions/dependencies for ES5 compat; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:markdown-it-attrs-es5 | AI (phantom-deps): ES5 compat variant; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:abort-controller-es5 | AI (phantom-deps): ES5 compat shim; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@azure/core-tracing | AI (phantom-deps): Framework-scoped package loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api | AI (phantom-deps): Framework-scoped peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:markdown-it-attrs | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:abort-controller | AI (phantom-deps): ES5 compat shim referenced in config; stable false positive. | ai | |
| phantom-deps | phantom-dep:sanitize-html | AI (phantom-deps): Used via config/bundling; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:core-js-pure | AI (phantom-deps): Known implicit polyfill dependency; stable false positive for this package. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.8.5 | 18 / 62 | |
| 1.8.2 | 18 / 62 | |
| 1.8.1 | 18 / 62 | |
| 1.8.0 | 18 / 62 | |
| 1.7.8 | 18 / 62 |
v1.8.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.