@nocobase/ai
<video width="100%" controls> <source src="https://github.com/user-attachments/assets/4d11a87b-00e2-48f3-9bf7-389d21072d13" type="video/mp4"> </video>
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:xlsx | AI (dependencies): xlsx is a well-known spreadsheet library; its use in a document-processing AI plugin is expected and not a security concern for this package. | ai | |
| provenance | no-provenance | AI (provenance): NocoBase packages consistently lack Sigstore provenance; publisher is well-established with 3413 approved packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped monorepo plugin package from the nocobase org; sparse READMEs are normal for sub-packages in large monorepos. Not spam or phishing. | ai | |
| phantom-deps | phantom-dep:d3-dsv | AI (phantom-deps): d3-dsv is a data parsing utility declared for optional/dynamic use in this AI plugin's document ingestion pipeline; phantom pattern is stable for this package. | ai | |
| dependencies | unvetted-dep:@langchain/google-genai | AI (dependencies): Official LangChain Google GenAI integration; expected dependency for a NocoBase AI plugin supporting multiple LLM backends. | ai | |
| phantom-deps | phantom-dep:langchain | AI (phantom-deps): Phantom dep pattern consistent with dynamic/conditional loading in a plugin architecture supporting multiple LLM providers. | ai | |
| phantom-deps | phantom-dep:pdf-parse | AI (phantom-deps): Phantom dep pattern consistent with config-driven dynamic loading of document parsers in the NocoBase AI plugin. | ai | |
| phantom-deps | phantom-dep:officeparser | AI (phantom-deps): Phantom dep pattern consistent with config-driven dynamic loading of document parsers in the NocoBase AI plugin. | ai | |
| phantom-deps | phantom-dep:word-extractor | AI (phantom-deps): Phantom dep pattern consistent with config-driven dynamic loading of document parsers in the NocoBase AI plugin. | ai | |
| phantom-deps | phantom-dep:@langchain/core | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| phantom-deps | phantom-dep:@langchain/openai | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| phantom-deps | phantom-dep:@langchain/classic | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| phantom-deps | phantom-dep:@langchain/community | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| phantom-deps | phantom-dep:@langchain/langgraph | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| phantom-deps | phantom-dep:@langchain/langgraph-checkpoint | AI (phantom-deps): Phantom dep pattern consistent with dynamic LLM provider loading in the NocoBase AI plugin architecture. | ai | |
| dependencies | unvetted-dep:flexsearch | AI (dependencies): flexsearch is a well-known full-text search library; appropriate for an AI/search plugin in the NocoBase ecosystem. | ai | |
| dependencies | unvetted-dep:officeparser | AI (dependencies): officeparser is a legitimate document parsing library; appropriate for document ingestion in an AI plugin. | ai | |
| dependencies | unvetted-dep:word-extractor | AI (dependencies): word-extractor is a legitimate .doc file parsing library; appropriate for document ingestion in an AI plugin. | ai | |
| dependencies | unvetted-dep:@langchain/ollama | AI (dependencies): Official LangChain Ollama integration; expected dependency for a NocoBase AI plugin supporting multiple LLM backends. | ai | |
| dependencies | unvetted-dep:@langchain/deepseek | AI (dependencies): Official LangChain DeepSeek integration; expected dependency for a NocoBase AI plugin supporting multiple LLM backends. | ai | |
| dependencies | unvetted-dep:@langchain/anthropic | AI (dependencies): Official LangChain Anthropic integration; expected dependency for a NocoBase AI plugin supporting multiple LLM backends. | ai | |
| phantom-deps | phantom-dep:mammoth | AI (phantom-deps): Phantom dep pattern is consistent with NocoBase AI plugin's config-driven dynamic loading of document parsers. | ai | |
| phantom-deps | phantom-dep:@langchain/ollama | AI (phantom-deps): AI provider adapters are loaded conditionally/dynamically in plugin architectures; phantom-dep is expected for optional integrations. | ai | |
| phantom-deps | phantom-dep:@langchain/anthropic | AI (phantom-deps): AI provider adapters are loaded conditionally/dynamically in plugin architectures; phantom-dep is expected for optional integrations. | ai | |
| phantom-deps | phantom-dep:@langchain/deepseek | AI (phantom-deps): AI provider adapters are loaded conditionally/dynamically in plugin architectures; phantom-dep is expected for optional integrations. | ai | |
| phantom-deps | phantom-dep:@langchain/google-genai | AI (phantom-deps): AI provider adapters are loaded conditionally/dynamically in plugin architectures; phantom-dep is expected for optional integrations. | ai | |
| phantom-deps | phantom-dep:@nocobase/resourcer | AI (phantom-deps): Same-org monorepo dependency; phantom-dep finding is a false positive for monorepo packages loaded at runtime. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @nocobase/ai is not a typosquat of ajv; levenshtein match is a false positive for scoped org packages. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @nocobase/ai is not a typosquat of hapi; levenshtein match is a false positive for scoped org packages. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @nocobase/ai is not a typosquat of joi; levenshtein match is a false positive for scoped org packages. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped package @nocobase/ai is not a typosquat of qs; levenshtein match is a false positive for scoped org packages. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @nocobase/ai is not a typosquat of pg; levenshtein match is a false positive for scoped org packages. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 2.0.46 | 22 / 0 | |
| 2.0.43 | 22 / 0 | |
| 2.0.42 | 22 / 0 | |
| 2.0.41 | 22 / 0 | |
| 2.0.40 | 20 / 0 | |
| 2.0.39 | 20 / 0 | |
| 2.0.38 | 20 / 0 | |
| 2.0.36 | 20 / 0 | |
| 2.0.35 | 20 / 0 | |
| 2.0.33 | 20 / 0 | |
| 2.0.32 | 20 / 0 | |
| 2.0.30 | 20 / 0 | |
| 2.0.29 | 20 / 0 | |
| 2.0.28 | 20 / 0 | |
| 2.0.27 | 20 / 0 | |
| 2.0.26 | 20 / 0 | |
| 2.0.24 | 20 / 0 | |
| 2.0.3 | 5 / 0 | |
| 2.0.0 | 5 / 0 |
v2.0.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.42
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.41
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.40
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.39
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.33
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.