@openfin/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known TypeScript runtime helper; stable false positive for this package. | ai | |
| source-diff | net-exec-file:out/stub.mjs | AI (source-diff): stub.mjs is the ESM build artifact of the OpenFin SDK; network calls and dynamic execution are part of the SDK's normal IPC/runtime bridge, not malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): es-toolkit is a well-established utility library replacing lodash; not a suspicious dependency addition. | ai | |
| dependencies | unvetted-dep:openfin-adapter | AI (dependencies): Monorepo file: reference bundled into the package; not a registry bypass risk. | ai | |
| npm-metadata | url-dep:openfin-adapter | AI (npm-metadata): file: dep is a monorepo bundled dependency (listed in bundleDependencies); stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:openfin-adapter | AI (phantom-deps): Bundled monorepo dep; not directly imported but included via bundleDependencies. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used in a proxy/stub pattern in out/stub.js; not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a type-only dep loaded by convention; phantom-dep finding is expected and benign. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a declared runtime dep used by the OpenFin runtime layer; phantom-dep heuristic is a false positive here. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @openfin/core is a legitimate scoped package from OpenFin, not a typosquat of 'cors'. | ai |
Versions (showing 51 of 174)
| Version | Deps | Published |
|---|---|---|
| 45.100.91 | 5 / 0 | |
| 45.100.88 | 5 / 0 | |
| 45.100.87 | 5 / 0 | |
| 45.100.86 | 5 / 0 | |
| 45.100.85 | 5 / 0 | |
| 45.100.84 | 5 / 0 | |
| 45.100.83 | 5 / 0 | |
| 45.100.81 | 5 / 0 | |
| 45.100.79 | 5 / 0 | |
| 45.100.78 | 5 / 0 | |
| 45.100.77 | 5 / 0 | |
| 45.100.76 | 5 / 0 | |
| 45.100.75 | 5 / 0 | |
| 45.100.74 | 5 / 0 | |
| 45.100.73 | 5 / 0 | |
| 45.100.72 | 5 / 0 | |
| 45.100.71 | 5 / 0 | |
| 45.100.70 | 5 / 0 | |
| 45.100.68 | 5 / 0 | |
| 45.100.67 | 5 / 0 | |
| 45.100.65 | 5 / 0 | |
| 45.100.64 | 5 / 0 | |
| 45.100.63 | 5 / 0 | |
| 45.100.62 | 5 / 0 | |
| 45.100.61 | 5 / 0 | |
| 45.100.60 | 5 / 0 | |
| 45.100.59 | 5 / 0 | |
| 45.100.58 | 5 / 0 | |
| 45.100.56 | 5 / 0 | |
| 45.100.55 | 5 / 0 | |
| 45.100.51 | 5 / 0 | |
| 45.100.50 | 5 / 0 | |
| 45.100.49 | 5 / 0 | |
| 45.100.48 | 5 / 0 | |
| 45.100.47 | 5 / 0 | |
| 45.100.46 | 5 / 0 | |
| 45.100.45 | 5 / 0 | |
| 45.100.43 | 4 / 0 | |
| 45.100.42 | 4 / 0 | |
| 45.100.41 | 4 / 0 | |
| 45.100.40 | 4 / 0 | |
| 45.100.39 | 4 / 0 | |
| 45.100.38 | 4 / 0 | |
| 45.100.37 | 4 / 0 | |
| 45.100.32 | 4 / 0 | |
| 45.100.30 | 4 / 0 | |
| 45.100.29 | 4 / 0 | |
| 45.100.27 | 4 / 0 | |
| 45.100.23 | 4 / 0 | |
| 45.100.19 | 4 / 0 | |
| 45.100.18 | 4 / 0 |
v45.100.91
3 findingsThis version was published by a different npm account than previous versions on 2026-06-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.88
3 findingsThis version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.87
3 findingsThis version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.86
3 findingsThis version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.85
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.84
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v45.100.83
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.81
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.79
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.78
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.77
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.76
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.75
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.74
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.73
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.72
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.71
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.70
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.68
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.67
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.65
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.64
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.63
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.62
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.61
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.60
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.59
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.58
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.56
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.55
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.51
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.50
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.49
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.48
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.47
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.46
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.45
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.43
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.42
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.41
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.40
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.39
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.38
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.37
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.32
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.30
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.29
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.27
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.23
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.19
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v45.100.18
2 findingsPackage name '@openfin/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.