@otplib/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed to GitHub Actions as part of a legitimate CI/CD migration; SLSA provenance attestation confirms the release originates from the official yeojz/otplib repo. This pattern is stable going forward. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance attestation is a positive signal; no suppression needed but marking as accepted to avoid re-routing. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @otplib/core is the core module of the otplib OTP library, not a typosquat of cors. The name similarity is purely coincidental; these are unrelated packages in different domains. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 13.4.1 | 0 / 4 | |
| 13.4.0 | 0 / 4 | |
| 13.3.0 | 0 / 4 | |
| 13.2.1 | 0 / 4 | |
| 13.2.0 | 0 / 4 | |
| 13.1.1 | 0 / 4 | |
| 13.1.0 | 0 / 4 | |
| 13.0.2 | 0 / 4 | |
| 13.0.1 | 0 / 4 | |
| 13.0.0 | 0 / 4 |
v13.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.4.0
2 findingsPackage name '@otplib/core' is 1 edit(s) away from popular package 'cors'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v13.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.