@moneybutton/config
Money Button configuration.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from ryanxcharles to calvo.generico occurred in 2019; calvo.generico is a long-standing Money Button team member with 119 approved packages. | ai | |
| license | uncommon-license:Open-BSV | AI (license): Open-BSV is the standard license for the Money Button / BSV ecosystem packages; not a risk signal. | ai | |
| source-diff | net-exec-file:dist/mb-config.umd.js | AI (source-diff): The file is a standard webpack UMD bundle (webpackUniversalModuleDefinition boilerplate). Dynamic require is webpack's module loading mechanism, not malicious code execution. This pattern is stable for this package's build output. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a legitimate runtime dependency injected by Babel's transform-runtime plugin; not a phantom dep in the malicious sense. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 0.38.8 | 0 / 3 | |
| 0.38.7 | 0 / 3 | |
| 0.38.6 | 0 / 3 | |
| 0.38.5 | 1 / 21 | |
| 0.38.4 | 1 / 21 | |
| 0.38.3 | 1 / 21 | |
| 0.38.2 | 1 / 21 | |
| 0.38.1 | 1 / 21 | |
| 0.37.0 | 1 / 21 | |
| 0.36.0 | 1 / 21 | |
| 0.35.0 | 1 / 21 | |
| 0.34.0 | 1 / 21 | |
| 0.33.0 | 1 / 21 | |
| 0.32.0 | 1 / 23 | |
| 0.31.3 | 1 / 23 | |
| 0.31.2 | 1 / 23 | |
| 0.31.1 | 1 / 23 | |
| 0.31.0 | 1 / 23 | |
| 0.30.1 | 1 / 23 | |
| 0.30.0 | 1 / 23 | |
| 0.29.0 | 1 / 23 | |
| 0.28.1 | 1 / 23 | |
| 0.28.0 | 1 / 23 | |
| 0.27.0 | 1 / 23 | |
| 0.26.0 | 1 / 23 | |
| 0.25.0 | 1 / 23 | |
| 0.24.4 | 1 / 23 | |
| 0.24.3 | 1 / 23 | |
| 0.24.2 | 1 / 23 | |
| 0.24.1 | 1 / 23 | |
| 0.24.0 | 1 / 23 | |
| 0.23.0 | 1 / 23 | |
| 0.22.2 | 1 / 23 | |
| 0.21.11 | 1 / 23 | |
| 0.21.10 | 1 / 23 | |
| 0.21.9 | 1 / 23 | |
| 0.21.8 | 1 / 23 | |
| 0.21.7 | 1 / 23 | |
| 0.21.5 | 1 / 23 | |
| 0.21.3 | 1 / 23 | |
| 0.21.2 | 1 / 23 | |
| 0.21.1 | 1 / 23 | |
| 0.1.8 | 1 / 23 | |
| 0.1.7 | 1 / 23 | |
| 0.1.0 | 1 / 22 |
v0.38.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.7
2 findingsThis version was published by a different npm account than previous versions on 2021-07-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.3
2 findingsThis version was published by a different npm account than previous versions on 2020-05-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.2
3 findingsThis version was published by a different npm account than previous versions on 2020-04-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.38.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.37.0
3 findingsThis version was published by a different npm account than previous versions on 2020-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.36.0
3 findingsThis version was published by a different npm account than previous versions on 2020-03-06. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.35.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.34.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.33.0
2 findingsThis version was published by a different npm account than previous versions on 2020-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.1
3 findingsThis version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.31.0
2 findingsThis version was published by a different npm account than previous versions on 2019-11-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.30.0
3 findingsThis version was published by a different npm account than previous versions on 2019-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.1
3 findingsThis version was published by a different npm account than previous versions on 2019-10-13. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.4
3 findingsThis version was published by a different npm account than previous versions on 2019-08-28. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.3
3 findingsThis version was published by a different npm account than previous versions on 2019-08-23. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.2
2 findingsThis version was published by a different npm account than previous versions on 2019-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.1
2 findingsThis version was published by a different npm account than previous versions on 2019-08-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.0
2 findingsThis version was published by a different npm account than previous versions on 2019-06-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.2
2 findingsThis version was published by a different npm account than previous versions on 2019-06-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.7
3 findingsThis version was published by a different npm account than previous versions on 2019-04-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.3
2 findingsThis version was published by a different npm account than previous versions on 2019-03-03. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.2
3 findingsThis version was published by a different npm account than previous versions on 2019-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.1
3 findingsThis version was published by a different npm account than previous versions on 2019-02-10. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
2 findingsThis version was published by a different npm account than previous versions on 2018-11-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.