@microsoft/sp-dynamic-data
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@microsoft/sp-module-interfaces | AI (phantom-deps): Same-org SPFx peer dependency; phantom-dep false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/sp-dynamic-data_default_4712469a7934869c16ad.js | AI (source-diff): Standard webpack-minified SPFx dist bundle; consistent with all prior versions of this Microsoft package. | ai | |
| source-diff | obfuscated-file:dist/sp-dynamic-data_en-us_286c47d07c491849c45f.js | AI (source-diff): Locale-specific webpack bundle; normal SPFx build artifact. | ai | |
| source-diff | obfuscated-file:dist/sp-dynamic-data_qps-ploc_b19cb76dcbbcc394a09a.js | AI (source-diff): Pseudo-locale test bundle; normal SPFx build artifact. | ai | |
| source-diff | obfuscated-file:dist/sp-dynamic-data_qps-ploca_994bdb9714fd67198d83.js | AI (source-diff): Pseudo-locale test bundle; normal SPFx build artifact. | ai | |
| phantom-deps | phantom-dep:@swc/helpers | AI (phantom-deps): Known implicit SWC runtime dependency; not directly imported but required by transpiled output. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-core-library | AI (dependencies): Sibling Microsoft SPFx package released in lockstep; expected dependency pattern for this monorepo. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-lodash-subset | AI (dependencies): Sibling Microsoft SPFx package released in lockstep; expected dependency pattern for this monorepo. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-module-interfaces | AI (dependencies): Sibling Microsoft SPFx package released in lockstep; expected dependency pattern for this monorepo. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Enterprise SDK component; sparse README and no keywords are typical for internal Microsoft SPFx packages. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-diagnostics | AI (dependencies): Sibling Microsoft SPFx package released in lockstep; expected dependency pattern for this monorepo. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 6 / 6 | |
| 1.22.2 | 6 / 6 | |
| 1.22.1 | 6 / 6 | |
| 1.22.0 | 6 / 6 | |
| 1.21.1 | 6 / 6 |
v1.23.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.