@openmrs/esm-form-entry-app

Angular form engine for O3

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mogoodrichopenmrs-botrkorytkowskidjazayerijoeldenningmksdbrandonesjdickbmamlindkibetmdubeydennisforthewinibacher

Keywords

openmrs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/2395.d8b554fe5fdbaa9a.js	AI (source-diff): Standard webpack-minified Angular bundle; locale data and polyfills visible in sample, not obfuscation.	ai	2026/05/20
source-diff	net-exec-file:dist/main.b9acca46762b2547.js	AI (source-diff): Network/exec pattern is webpack chunk loading infrastructure, not dropper malware.	ai	2026/05/20
source-diff	obfuscated-file:dist/main.b9acca46762b2547.js	AI (source-diff): Standard webpack-minified Angular main bundle; reflect-metadata polyfill visible in sample.	ai	2026/05/20
source-diff	net-exec-file:dist/2395.d8b554fe5fdbaa9a.js	AI (source-diff): Network/exec pattern is webpack chunk loading infrastructure, not dropper malware.	ai	2026/05/20
phantom-deps	phantom-dep:tree-model	AI (phantom-deps): Bundled dep; heuristic false positive for this Angular app pattern.	ai	2026/05/05
phantom-deps	phantom-dep:ngx-webcam	AI (phantom-deps): Angular component library used via template/module, not direct TS import detectable by heuristic.	ai	2026/05/05
phantom-deps	phantom-dep:ngx-bootstrap	AI (phantom-deps): Angular module-based usage; not detectable as direct import by phantom-dep heuristic.	ai	2026/05/05
phantom-deps	phantom-dep:@carbon/styles	AI (phantom-deps): CSS/style package imported via webpack config, not TS import.	ai	2026/05/05
phantom-deps	phantom-dep:slick-carousel	AI (phantom-deps): CSS/JS carousel loaded via config, not direct TS import.	ai	2026/05/05
phantom-deps	phantom-dep:@ng-select/ng-select	AI (phantom-deps): Angular module-based usage; phantom-dep heuristic false positive.	ai	2026/05/05
phantom-deps	phantom-dep:systemjs-webpack-interop	AI (phantom-deps): Used in webpack config, not direct TS import; stable false positive for this package.	ai	2026/05/05
phantom-deps	phantom-dep:@angular-extensions/elements	AI (phantom-deps): Angular module-based usage; phantom-dep heuristic false positive.	ai	2026/05/05
phantom-deps	phantom-dep:jspdf	AI (phantom-deps): Bundled Angular app; deps declared for webpack bundling, not direct import in analyzed entry points.	ai	2026/05/05
phantom-deps	phantom-dep:lodash	AI (phantom-deps): Same — bundled transitive dep declared in package.json for bundler resolution.	ai	2026/05/05
phantom-deps	phantom-dep:@angular/compiler-cli	AI (phantom-deps): Framework-scoped Angular package loaded by convention; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@openmrs/ngx-file-uploader	AI (phantom-deps): Same org scope; likely re-exported or used indirectly; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@angular/cdk	AI (phantom-deps): Framework-scoped Angular package loaded by convention; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@angular/animations	AI (phantom-deps): Framework-scoped Angular package loaded by convention; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@angular/material	AI (phantom-deps): Framework-scoped Angular package loaded by convention; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit Angular/TypeScript runtime dep; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@angular/compiler	AI (phantom-deps): Framework-scoped Angular package loaded by convention; stable false positive.	ai	2026/04/29

Versions (showing 4 of 4)

Version	Deps	Published
12.1.0	30 / 31	2026-03-10
12.0.2	30 / 31	2026-03-04
12.0.1	30 / 31	2026-02-25
12.0.0	30 / 31	2026-02-19

v12.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v12.0.1

5 findings

HIGH New obfuscated file: dist/2395.d8b554fe5fdbaa9a.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/2395.d8b554fe5fdbaa9a.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New obfuscated file: dist/main.b9acca46762b2547.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: dist/main.b9acca46762b2547.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.