← Home

@ngageoint/mage.service

npm Repository Homepage

Mage is a geospatial situational awareness and data collection platform. The Mage Service is the ReST service API that the Mage client apps use to interact with Mage data.

11
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

ngageoint-npmgisjedirachelaismheppnerschmidtkjoshnelscwerthrslattenbrentmjmckomni

Keywords

NGAMagesituational awarenessgeospatial

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:captcha-canvas AI (dependencies): Legitimate captcha rendering library replacing svg-captcha; no install scripts or malicious signals. ai
publish-pattern new-deps-added AI (publish-pattern): captcha-canvas is a benign captcha library swap; not an attack-vector addition. ai
dependencies unvetted-dep:cfenv AI (dependencies): Standard Cloud Foundry env lib; appropriate for NGA service deployment context. ai
dependencies unvetted-dep:json2csv AI (dependencies): Common CSV export utility; expected in a data collection platform. ai
dependencies unvetted-dep:passport-ldapauth AI (dependencies): Standard LDAP auth strategy for passport; expected in enterprise auth service. ai
dependencies unvetted-dep:@ngageoint/geopackage AI (dependencies): First-party NGA geospatial library; same org as this package. ai
dependencies unvetted-dep:passport-openidconnect AI (dependencies): Standard OIDC passport strategy; expected in multi-auth service. ai
dependencies unvetted-dep:@ngageoint/mongodb-migrations AI (dependencies): First-party NGA migration utility; same org as this package. ai
semgrep semgrep:base64-decode AI (semgrep): Decoding icon image data from auth config in a DB migration; not a payload execution pattern. ai
phantom-deps phantom-dep:pug AI (phantom-deps): Template engine loaded by convention via Express view engine config, not direct import. ai
phantom-deps phantom-dep:node-fetch AI (phantom-deps): Loaded via config/conditional paths; stable false positive for this package. ai
phantom-deps phantom-dep:@types/geojson AI (phantom-deps): TypeScript type package; framework-scoped, not directly imported. ai
phantom-deps phantom-dep:@types/mime-types AI (phantom-deps): TypeScript type package; framework-scoped, not directly imported. ai
phantom-deps phantom-dep:@types/json-schema AI (phantom-deps): TypeScript type package; framework-scoped, not directly imported. ai
semgrep semgrep:dynamic-require AI (semgrep): CLI tool resolving user-supplied config/module paths at runtime; expected pattern for this package. ai

Versions (showing 11 of 11)

Version Deps Published
6.6.7 51 / 53
6.6.6 51 / 53
6.6.4 51 / 53
6.6.2 51 / 53
6.6.1 51 / 53
6.6.0 51 / 53
6.5.7 51 / 53
6.5.4 51 / 53
6.5.3 51 / 53
6.5.2 51 / 53
6.3.0 51 / 52

v6.6.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.