@microsoft/sp-http-msgraph
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/sp-http-msgraph_qps-ploca_a310af70f7314c355d9b.js | AI (source-diff): Standard minified webpack output for a browser-targeted SPFx module; consistent with this package's build pattern. | ai | |
| source-diff | net-exec-file:dist/chunk.sp-http-msgraphclient_none_6d389c02f34816871f0e.js | AI (source-diff): Standard webpack bundle of @microsoft/microsoft-graph-client; new Function pattern is webpack global detection boilerplate, not malware. | ai | |
| source-diff | obfuscated-file:dist/sp-http-msgraph_default_c345b1136baeaf609f5b.js | AI (source-diff): Standard minified webpack output for a browser-targeted SPFx module; consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/sp-http-msgraph_en-us_cc5ab1e0d9da31c20b62.js | AI (source-diff): Standard minified webpack output for a browser-targeted SPFx module; consistent with this package's build pattern. | ai | |
| source-diff | obfuscated-file:dist/sp-http-msgraph_qps-ploc_6f3faadf7a5eba06e866.js | AI (source-diff): Standard minified webpack output for a browser-targeted SPFx module; consistent with this package's build pattern. | ai | |
| provenance | no-provenance | AI (provenance): Microsoft's established publishing pattern; provenance absence is ecosystem-wide norm. | ai | |
| dependencies | unvetted-dep:@microsoft/microsoft-graph-clientv1 | AI (dependencies): Pinned alias to @microsoft/[email protected] from the same Microsoft org; stable pattern across SPFx versions. | ai | |
| phantom-deps | phantom-dep:@swc/helpers | AI (phantom-deps): Known implicit runtime dependency for SWC-compiled SPFx packages; stable false positive for this org. | ai | |
| phantom-deps | phantom-dep:@microsoft/sp-loader | AI (phantom-deps): Same-org SPFx dependency; phantom-dep heuristic fires due to indirect import pattern, not a real concern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): SPFx component packages routinely lack README code blocks and keywords; not indicative of spam. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 8 / 5 | |
| 1.22.2 | 7 / 6 | |
| 1.22.1 | 7 / 6 | |
| 1.22.0 | 7 / 6 | |
| 1.21.1 | 7 / 6 |
v1.23.0
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.