@ohif/extension-cornerstone
OHIF extension for Cornerstone
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/ohif-extension-cornerstone.umd.js | AI (source-diff): Standard webpack UMD bundle; encoded strings are base64-encoded CSS/data URIs typical of this build output, not malicious payloads. | ai | |
| phantom-deps | phantom-dep:immutability-helper | AI (phantom-deps): New dep added as replacement for lodash.merge; likely used indirectly through bundled code rather than direct ES import. | ai | |
| phantom-deps | phantom-dep:lodash.zip | AI (phantom-deps): Webpack-bundled package; lodash modules may be consumed indirectly via build config. | ai | |
| phantom-deps | phantom-dep:html2canvas | AI (phantom-deps): Likely used via dynamic import or build config in this bundled extension. | ai | |
| phantom-deps | phantom-dep:lodash.merge | AI (phantom-deps): Consumed via build config or indirect import in bundled output. | ai | |
| phantom-deps | phantom-dep:shader-loader | AI (phantom-deps): Webpack loader referenced in .webpack config files, not source imports. | ai | |
| phantom-deps | phantom-dep:worker-loader | AI (phantom-deps): Webpack loader referenced in .webpack config files, not source imports. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep; consumed by transpiled output, not direct imports. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established OHIF ecosystem package; sparse README is typical for monorepo sub-packages. | ai | |
| phantom-deps | phantom-dep:lodash.flatten | AI (phantom-deps): Consumed via build config or indirect import in bundled output. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Consumed via build config or indirect import in bundled output. | ai | |
| phantom-deps | phantom-dep:@icr/polyseg-wasm | AI (phantom-deps): Platform-specific WASM binary; loaded at runtime, not via static import. | ai | |
| phantom-deps | phantom-dep:@cornerstonejs/adapters | AI (phantom-deps): Cornerstone ecosystem package; may be consumed indirectly via re-exports. | ai | |
| phantom-deps | phantom-dep:@itk-wasm/morphological-contour-interpolation | AI (phantom-deps): Platform-specific WASM binary; loaded at runtime, not via static import. | ai | |
| phantom-deps | phantom-dep:lodash.compact | AI (phantom-deps): Consumed via build config or indirect import in bundled output. | ai | |
| provenance | no-provenance | AI (provenance): Long-standing package predating provenance attestation; consistent with rest of OHIF monorepo. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 3.12.4 | 18 / 0 | |
| 3.12.3 | 18 / 0 | |
| 3.12.2 | 18 / 0 | |
| 3.12.1 | 18 / 0 | |
| 3.12.0 | 18 / 0 | |
| 3.11.1 | 17 / 0 | |
| 3.11.0 | 17 / 0 | |
| 3.10.4 | 17 / 0 | |
| 3.10.2 | 17 / 0 |
v3.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.