← Home

@moneko/core

npm Homepage

@moneko/core

14
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

moneko

Keywords

monekocore

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Only ~12% of npm has provenance; not a disqualifier for established packages. ai
publish-pattern dormant-publish AI (publish-pattern): Publisher has strong track record (29 approved, 0 rejected); no content changes from prior version. ai
phantom-deps phantom-dep:marked-completed AI (phantom-deps): Build tooling package; config-referenced peer deps are expected pattern. ai
phantom-deps phantom-dep:style-loader AI (phantom-deps): Build tooling package; config-referenced peer deps are expected pattern. ai
phantom-deps phantom-dep:chokidar AI (phantom-deps): Build tooling package; config-referenced peer deps are expected pattern. ai
phantom-deps phantom-dep:webpack-virtual-modules AI (phantom-deps): Build tooling package; config-referenced peer deps are expected pattern. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires on minified imports of node built-ins (crypto, path); not arbitrary module loading. ai
dependencies unvetted-dep:@moneko/mdx AI (dependencies): Same-org package from the same maintainer; not a third-party supply chain risk. ai
dependencies unvetted-dep:@moneko/eslint AI (dependencies): Same-org package from the same maintainer; not a third-party supply chain risk. ai
dependencies unvetted-dep:@moneko/convert AI (dependencies): Same-org package from the same maintainer; not a third-party supply chain risk. ai
dependencies unvetted-dep:@moneko/request AI (dependencies): Same-org package from the same maintainer; not a third-party supply chain risk. ai
dependencies unvetted-dep:@moneko/stylelint AI (dependencies): Same-org package from the same maintainer; not a third-party supply chain risk. ai
bogus-package bogus-package AI (bogus-package): Package is a build/config tool; sparse README is typical for internal tooling with 1246 versions published. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped package @moneko/core is not a typosquat of cors; it's a long-lived org-scoped build tool with 1246 versions. ai
phantom-deps phantom-dep:swc-loader AI (phantom-deps): Webpack loader referenced in config files; normal for a build tooling package. ai
phantom-deps phantom-dep:core-js AI (phantom-deps): Known implicit runtime polyfill dependency; expected for this build tool. ai
phantom-deps phantom-dep:husky AI (phantom-deps): Dev tooling referenced in config; not a runtime import concern. ai
phantom-deps phantom-dep:less AI (phantom-deps): Build tooling dependency referenced in config files; expected for a webpack-based build package. ai
phantom-deps phantom-dep:webpack-merge AI (phantom-deps): Webpack config utility referenced in config files; normal for this package. ai
phantom-deps phantom-dep:browserslist AI (phantom-deps): Build config dependency; expected for a webpack/SWC build tool. ai
phantom-deps phantom-dep:less-loader AI (phantom-deps): Webpack loader referenced in config files; normal for a build tooling package. ai
phantom-deps phantom-dep:core-js-compat AI (phantom-deps): Build-time polyfill compat tool; expected for a transpilation build package. ai
phantom-deps phantom-dep:@moneko/request AI (phantom-deps): Same-org scoped package; phantom-dep heuristic unreliable for org-internal deps. ai
phantom-deps phantom-dep:@moneko/raw-import AI (phantom-deps): Same-org scoped package; phantom-dep heuristic unreliable for org-internal deps. ai
phantom-deps phantom-dep:@moneko/transform-imports AI (phantom-deps): Same-org scoped package; phantom-dep heuristic unreliable for org-internal deps. ai
phantom-deps phantom-dep:webpack-hot-middleware AI (phantom-deps): Webpack middleware referenced in config; expected for a dev-server build tool. ai

Versions (showing 14 of 14)

Version Deps Published
4.8.7 22 / 0
4.8.6 22 / 0
4.8.5 22 / 0
4.8.4 22 / 0
4.8.1 22 / 0
4.8.0 22 / 0
4.7.20 22 / 0
4.7.8 22 / 0
4.6.10 23 / 7
4.0.3 23 / 10
4.0.0 23 / 10
3.57.4 27 / 10
3.57.3 27 / 10
3.57.2 27 / 10

v4.8.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.8.6

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@moneko/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.8.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.8.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.8.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.7.20

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.7.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.6.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.57.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.57.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.57.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.