@patternslib/patternslib
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Explicitly documented as CSP-unsafe with a warning; intentional template helper, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:luxon | AI (phantom-deps): Large UI library; phantom-dep heuristic unreliable for webpack-bundled packages with optional/lazy imports. | ai | |
| phantom-deps | phantom-dep:showdown | AI (phantom-deps): Same as above — config-referenced deps in a bundled library are not phantom deps in the malicious sense. | ai | |
| phantom-deps | phantom-dep:moment-timezone | AI (phantom-deps): Same as above. | ai | |
| phantom-deps | phantom-dep:showdown-prettify | AI (phantom-deps): Same as above. | ai | |
| phantom-deps | phantom-dep:@fullcalendar/adaptive | AI (phantom-deps): Same as above. | ai |
v9.10.5
2 findingsDependency 'slick-carousel' in `dependencies` points to 'git+https://github.com/kenwheeler/slick.git#d0716f19aa730006ee80ab026625fb1107816a97' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.10.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.