@microsoft/sp-list-subscription
Developer support for subscribing to changes in a SharePoint document library.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/sp-list-subscription_none_0d0437c6f0341e69982b.js | AI (source-diff): Standard webpack bundle output for this SPFx package; minified dist files are expected across all versions. | ai | |
| source-diff | net-exec-file:dist/sp-list-subscription_none_0d0437c6f0341e69982b.js | AI (source-diff): Network calls are socket.io-client bundled code; dynamic module loading is webpack's require() shim — expected for this SPFx bundle. | ai | |
| source-diff | obfuscated-file:dist/sp-list-subscription_none_34018caf96b2ae30527a.js | AI (source-diff): Standard webpack/AMD bundle for SPFx; minified output is expected for this Microsoft package. | ai | |
| source-diff | net-exec-file:dist/sp-list-subscription_none_34018caf96b2ae30527a.js | AI (source-diff): Network calls are socket.io-client internals; no dynamic code execution beyond normal module loading patterns. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-component-base | AI (dependencies): Sibling Microsoft SPFx package at matching version; expected dependency for this package family. | ai | |
| phantom-deps | phantom-dep:@swc/helpers | AI (phantom-deps): Known implicit runtime dependency for SWC-compiled packages; stable pattern for this org. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-http | AI (dependencies): Sibling Microsoft SPFx package at matching version; expected dependency for this package family. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established Microsoft SPFx library; sparse README is a style choice, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:@microsoft/sp-page-context | AI (phantom-deps): Same org scope; may be used transitively or via type-only imports in SPFx build toolchain. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-diagnostics | AI (dependencies): Sibling Microsoft SPFx package at matching version; expected dependency for this package family. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-core-library | AI (dependencies): Sibling Microsoft SPFx package at matching version; expected dependency for this package family. | ai | |
| dependencies | unvetted-dep:@microsoft/sp-page-context | AI (dependencies): Sibling Microsoft SPFx package at matching version; expected dependency for this package family. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 1.23.0 | 7 / 6 | |
| 1.22.2 | 7 / 6 | |
| 1.22.1 | 7 / 6 | |
| 1.22.0 | 7 / 6 | |
| 1.21.1 | 7 / 6 |
v1.23.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.