@scandit/web-datacapture-label

Scandit Data Capture SDK for the Web

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

scandit-lorenzoscandit-cimoritz-scanditscandit-sebastienscandit-thomas

Keywords

scanditbarcodedata capturecaptureqrscanscannerscanningcodewebassemblysdkjavascripttypescriptlabel capture

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:new-function-constructor	AI (semgrep): Emscripten-generated WASM JS glue; new Function() is standard in this build output across all Scandit SDK versions.	ai	2026/05/19
source-diff	large-new-source-files	AI (source-diff): New files are ML model assets and WASM bundles expected for label-capture feature additions.	ai	2026/05/19
source-diff	obfuscated-file:build/js/NativeProxy-B98bIlIp.d.ts	AI (source-diff): Long lines are TypeScript declaration union-type imports, not obfuscated code; stable pattern for Scandit SDK packages.	ai	2026/05/10
bogus-package	bogus-package	AI (bogus-package): Scandit commercial SDK suite; templated naming and minimal README are expected patterns across their package family.	ai	2026/04/29
phantom-deps	phantom-dep:@types/emscripten	AI (phantom-deps): @types/emscripten is a type-only dependency for WebAssembly bindings; not directly imported at runtime by convention.	ai	2026/04/29