@phosphor/widgets — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

blink1073phosphor-usersccolbert

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@phosphor/virtualdom	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/algorithm	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/coreutils	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/messaging	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/signaling	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/disposable	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/properties	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/commands	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/domutils	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/dragdrop	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
phantom-deps	phantom-dep:@phosphor/keyboard	AI (phantom-deps): Phantom deps in @phosphor/* framework libraries are expected; dependencies are re-exported or used indirectly through the public API.	ai	2026/04/24
dependencies	unvetted-dep:@phosphor/utilities	AI (dependencies): @phosphor/utilities is a sibling package in the same PhosphorJS ecosystem/monorepo, published by the same trusted publisher. This dependency relationship is stable and expected across all versions.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): blink1073 and phosphor-user are legitimate maintainers for the PhosphorJS ecosystem; blink1073 was already a contributor.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of 'phosphor' account alongside addition of blink1073/phosphor-user reflects a legitimate project maintainer reorganization.	ai	2026/04/24
publish-pattern	dormant-publish	AI (publish-pattern): PhosphorJS is a mature, largely stable library; long dormancy followed by a maintenance release from a known contributor is expected behavior for this package.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): blink1073 (Steven Silvester) was already a listed contributor in package.json; transition from sccolbert is a documented legitimate handoff within the PhosphorJS project.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by years; absence is expected for this age cohort and not a security signal.	ai	2026/04/24

Versions (showing 29 of 29)

Version	Deps	Published
1.9.3	11 / 18	2019-10-15
1.9.2	11 / 18	2019-09-16
1.9.1	11 / 18	2019-09-06
1.9.0	11 / 18	2019-08-05
1.8.1	11 / 18	2019-06-23
1.8.0	11 / 18	2019-06-13
1.7.1	11 / 18	2019-06-11
1.7.0	11 / 18	2019-06-01
1.6.0	11 / 3	2018-05-15
1.5.0	11 / 3	2017-07-04
1.4.0	11 / 3	2017-07-01
1.3.2	11 / 3	2017-06-28
1.3.1	11 / 3	2017-06-28
1.3.0	11 / 3	2017-06-12
1.2.0	11 / 3	2017-05-15
1.1.0	11 / 2	2017-04-03
1.0.1	11 / 2	2017-03-27
1.0.0	11 / 2	2017-03-21
0.3.1	11 / 2	2017-03-16
0.3.0	11 / 2	2017-03-15
0.2.0	11 / 2	2017-03-10
0.1.7	11 / 2	2017-03-05
0.1.6	11 / 2	2017-03-04
0.1.5	11 / 0	2017-03-01
0.1.4	11 / 0	2017-02-25
0.1.3	11 / 0	2017-02-21
0.1.2	11 / 0	2017-02-20
0.1.1	10 / 0	2017-02-20
0.1.0	10 / 0	2017-02-17

v1.9.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.9.2

2 findings

HIGH Publisher changed: sccolbert → blink1073 (on 2019-09-16) provenance

This version was published by a different npm account than previous versions on 2019-09-16. This could indicate a legitimate maintainer transition or an account compromise.