← Home

@playcanvas/splat-transform

npm Repository Homepage

Library and CLI tool for 3D Gaussian splat format conversion and transformation

9
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

playcanvas

Keywords

3d-gaussian-splattingcligaussian-splattingplaycanvassupersplattypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff encoded-string-file:dist/index.cjs AI (source-diff): Long string is inlined CSS in a JS bundle — standard rollup build artifact, not obfuscated payload. ai
source-diff encoded-string-file:dist/cli.mjs AI (source-diff): Same inlined CSS pattern; benign build artifact. ai
source-diff encoded-string-file:dist/index.mjs AI (source-diff): Same inlined CSS pattern; benign build artifact. ai
dependencies unvetted-dep:webgpu AI (dependencies): webgpu is a legitimate WebGPU type-definitions package appropriate for this GPU-accelerated splat transform library. ai
phantom-deps phantom-dep:webgpu AI (phantom-deps): webgpu is a declared dep used for types/config, not directly imported at runtime; stable false positive for this package. ai

Versions (showing 9 of 9)

Version Deps Published
2.2.1 2 / 20
2.2.0 2 / 20
2.0.6 1 / 20
2.0.5 1 / 20
2.0.4 1 / 20
2.0.3 1 / 20
2.0.2 1 / 20
2.0.1 1 / 20
2.0.0 1 / 19

v2.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.3

4 findings
HIGH Long encoded string in modified file: dist/index.cjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/cli.mjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: dist/index.mjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.