@nocobase/preset-nocobase
<video width="100%" controls> <source src="https://static-docs.nocobase.com/NocoBase0510.mp4" type="video/mp4"> </video>
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@nocobase/plugin-ai | AI (phantom-deps): Plugin preset declares plugins for dynamic loading; not direct imports. | ai | |
| phantom-deps | phantom-dep:@nocobase/plugin-client | AI (phantom-deps): Preset meta-package; all @nocobase/* deps are intentionally declared for plugin orchestration, not direct imports. | ai | |
| phantom-deps | phantom-dep:@nocobase/plugin-workflow-javascript | AI (phantom-deps): Preset meta-package; all @nocobase/* deps are intentionally declared for plugin orchestration, not direct imports. | ai | |
| phantom-deps | phantom-dep:@formily/json-schema | AI (phantom-deps): Referenced in config files as expected for a preset package; not a phantom dep in the malicious sense. | ai | |
| phantom-deps | phantom-dep:@nocobase/plugin-acl | AI (phantom-deps): Preset meta-package; all @nocobase/* deps are intentionally declared for plugin orchestration, not direct imports. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:cronstrue | AI (phantom-deps): Referenced in config files; used by workflow plugins in the preset bundle. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to read package.json metadata for plugin compatibility checks — standard plugin manager pattern, not arbitrary code execution. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Meta/preset package with no standalone usage; README style is expected. Package has 943 versions, 1438 days old, official GitHub repo. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): Referenced in config files; standard utility used by the plugin manager infrastructure. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 2.0.62 | 101 / 0 | |
| 2.0.61 | 101 / 0 | |
| 2.0.46 | 100 / 0 | |
| 2.0.43 | 100 / 0 | |
| 2.0.28 | 100 / 0 | |
| 2.0.27 | 100 / 0 | |
| 2.0.26 | 100 / 0 | |
| 1.9.63 | 84 / 0 | |
| 1.9.44 | 84 / 0 | |
| 1.9.43 | 84 / 0 | |
| 1.8.32 | 82 / 0 |
v2.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.26
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.63
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.44
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.43
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.32
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.