← Home

@perceptimagery/3d-configurator

npm
8
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

satputerohannilesh-percept

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff encoded-string-file:dist/index.js AI (source-diff): Encoded string is a WASM binary (ZSTD decoder) embedded as base64 — standard bundling pattern, not obfuscated malware. ai
bogus-package bogus-package AI (bogus-package): Established 71-version package in a private org scope; sparse metadata is typical for internal/commercial libraries. ai
phantom-deps phantom-dep:react-dom AI (phantom-deps): Same as react — peer/bundled dep, stable false positive. ai
phantom-deps phantom-dep:dat.gui AI (phantom-deps): Debug UI dep used in config/dev context; stable false positive for this package. ai
phantom-deps phantom-dep:gsap AI (phantom-deps): 3D configurator library; gsap is a runtime animation dep used in bundled output, not directly imported in analyzed entry points. ai
phantom-deps phantom-dep:@perceptimagery/sprie-asset-auth AI (phantom-deps): Same-org dep; phantom-dep is a stable false positive for this internal package. ai
phantom-deps phantom-dep:three-mesh-bvh AI (phantom-deps): 3D library dep; stable false positive for this package. ai
phantom-deps phantom-dep:react AI (phantom-deps): React is a peer/bundled dep for this UI library; phantom-dep is a stable false positive here. ai

Versions (showing 8 of 8)

Version Deps Published
1.8.4001 8 / 21
1.8.3015 8 / 21
1.8.3012 8 / 21
1.8.2005 8 / 21
1.8.1001 8 / 21
1.8.8 9 / 22
1.8.6 8 / 21
1.7.1002 8 / 21

v1.8.4001

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.3015

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.3012

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.2005

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.1001

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.8.8

2 findings
HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.1002

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.