@ossy/app
Server-side rendering runtime and build tooling for Ossy apps.
3
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
oskarssylwan
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:rollup-plugin-peer-deps-external | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-node-externals | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-inject | AI (phantom-deps): Rollup plugin loaded by convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-copy | AI (phantom-deps): Rollup config-file usage pattern; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-preserve-directives | AI (phantom-deps): Rollup config-file usage; stable false positive for this build-tool package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-postcss-modules | AI (phantom-deps): Referenced in rollup config files; standard build-tool pattern. | ai | |
| phantom-deps | phantom-dep:@ossy/connected-components | AI (phantom-deps): Same-org scoped packages used as peer/framework deps; not directly imported by convention. | ai | |
| phantom-deps | phantom-dep:terser | AI (phantom-deps): Build tool dep loaded via config; stable false positive. | ai | |
| phantom-deps | phantom-dep:cookie-parser | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@ossy/sdk | AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. | ai | |
| phantom-deps | phantom-dep:@ossy/router | AI (phantom-deps): Same org scope; loaded by convention in the @ossy framework. | ai | |
| phantom-deps | phantom-dep:morgan | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Framework/CLI tool loads deps by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-delete | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-typescript | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-dts | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@ossy/design-system | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/eslint-parser | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-alias | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): Build framework package; plugins/presets declared for downstream consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Build framework package; declared for downstream consumer use. | ai | |
| phantom-deps | phantom-dep:@ossy/pages | AI (phantom-deps): Same-org package bundled as runtime dep for consumers. | ai | |
| phantom-deps | phantom-dep:@ossy/themes | AI (phantom-deps): Same-org package bundled as runtime dep for consumers. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Referenced in config files; standard for build framework packages. | ai | |
| phantom-deps | phantom-dep:@babel/register | AI (phantom-deps): Framework-scoped; loaded by convention not direct import. | ai | |
| phantom-deps | phantom-dep:@ossy/sdk-react | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| phantom-deps | phantom-dep:@babel/preset-react | AI (phantom-deps): Framework-scoped; loaded by convention. | ai | |
| phantom-deps | phantom-dep:@ossy/router-react | AI (phantom-deps): Same-org package; declared for consumer use. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a dev CLI tool spawning a child process; standard pattern for dev servers passing environment through. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of ajv. | ai | |
| typosquat | typosquat.levenshtein:yup | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of yup. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of pg. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped @ossy package with 148 versions; not a typosquat of hapi. | ai |
v0.1.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.