@ngageoint/mage.web-core-lib

This library was generated with [Angular CLI](https://github.com/angular/angular-cli) version 9.1.13.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

ngageoint-npmgisjedirachelaismheppnerschmidtkjoshnelscwerthrslattenbrentmjmckomni

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): ngageoint org migrated publishing to GitHub Actions CI/CD; SLSA provenance attestation confirms legitimate pipeline.	ai	2026/05/07
source-diff	obfuscated-file:esm2022/feed/feed.service.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/paging/paging.cdk-data-source.adapter.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/static-icon/static-icon-form-field/static-icon-form-field.component.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/static-icon/static-icon-select/static-icon-select.component.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/static-icon/static-icon.module.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/feed/feed.model.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output with inline base64 source maps; normal ng-packagr artifact.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/user/user-read.service.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/user/user-select/user-select.component.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/user/user.module.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/common/xhr-img.component.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit Angular/TypeScript runtime dep; stable false positive for this package.	ai	2026/05/02
source-diff	obfuscated-file:esm2022/static-icon/static-icon.service.mjs	AI (source-diff): Angular Ivy ESM2022 compiled output; not obfuscated.	ai	2026/05/02

Versions (showing 21 of 21)

Version	Deps	Published
6.6.7	4 / 0	2026-04-30
6.6.6	4 / 0	2026-04-30
6.6.5	4 / 0	2026-04-30
6.6.4	4 / 0	2026-04-30
6.6.3	4 / 0	2026-04-29
6.6.2	4 / 0	2026-04-29
6.6.1	4 / 0	2026-04-09
6.6.0	4 / 0	2026-02-26
6.5.16	4 / 0	2026-02-25
6.5.12	4 / 0	2026-02-24
6.5.11	4 / 0	2026-02-23
6.5.10	4 / 0	2026-02-20
6.5.9	4 / 0	2026-02-20
6.5.8	4 / 0	2026-02-10
6.5.7	4 / 0	2026-01-28
6.5.6	4 / 0	2026-01-27
6.5.5	4 / 0	2025-12-12
6.5.4	4 / 0	2025-12-11
6.5.3	4 / 0	2025-12-08
6.5.2	4 / 0	2025-12-02
6.3.0	4 / 0	2025-05-28

v6.6.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.2

12 findings

HIGH New obfuscated file: esm2022/feed/feed.model.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/feed/feed.service.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/paging/paging.cdk-data-source.adapter.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/static-icon/static-icon-form-field/static-icon-form-field.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/static-icon/static-icon-select/static-icon-select.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/static-icon/static-icon.module.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/static-icon/static-icon.service.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/user/user-read.service.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/user/user-select/user-select.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/user/user.module.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/common/xhr-img.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.7

2 findings

HIGH Publisher changed: rslatten → GitHub Actions (on 2026-01-28) provenance

This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.6

2 findings

HIGH Publisher changed: rslatten → GitHub Actions (on 2026-01-27) provenance

This version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.5

2 findings

HIGH Publisher changed: rslatten → GitHub Actions (on 2025-12-12) provenance

This version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.5.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.