@progress/kendo-licensing
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Established Progress/Telerik commercial package; README link dump is typical for vendor licensing docs. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in license activation CLI binary; expected for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Process spawning in license CLI binary; consistent with documented activation flow. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding used for JWT/license key parsing; expected in a license validation tool. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs the package's own license-activation CLI; documented and stable for this package. | ai | |
| semgrep | semgrep:obfuscation-hex-functions | AI (semgrep): Obfuscation is intentional; javascript-obfuscator is a listed devDependency used to protect the license-check binary. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require inside intentionally obfuscated license CLI; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): jsonwebtoken is a declared runtime dependency; phantom-dep heuristic misfires here. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 1.11.2 | 3 / 0 | |
| 1.11.0 | 3 / 0 | |
| 1.10.1 | 3 / 0 | |
| 1.9.1 | 3 / 0 | |
| 1.8.0 | 2 / 0 | |
| 1.3.5 | 1 / 18 |
v1.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
2 findingsScript: node ./bin/kendo-ui-license.js activate --ignore-no-license
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.1
2 findingsScript: node ./bin/kendo-ui-license.js activate --ignore-no-license
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.1
2 findingsScript: node ./bin/kendo-ui-license.js activate --ignore-no-license
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
2 findingsScript: node ./bin/kendo-ui-license.js activate --ignore-no-license
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.5
18 findingsScript: node ./bin/kendo-ui-license.js activate --ignore-no-license
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/telerik/kendo-licensing/blob/338cd8d32feaf2ff4136a3b5349a266e9b532803/bin/kendo-ui-license.js#L2 1 | #!/usr/bin/env node > 2 | var _0x226a=['DxrMltG=','D3jPDgvgAwXLu3LUyW==','z2v0t3DUuhjVCgvYDhLezxnJCMLWDg9Y','lMfUz3vSyxiVy2fJAgu=','keLorK8PieTLBM
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.