@slabcode/kiosks-core
Core Library for KIOSKS project
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@slabcode/hubster-decorators | AI (dependencies): Same-org internal dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@slabcode/hubster-models | AI (dependencies): Same-org internal dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@slabcode/hubster-clients | AI (dependencies): Same-org internal dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@slabcode/hubster-function | AI (dependencies): Same-org internal dependency; stable pattern across all versions of this package. | ai | |
| dependencies | unvetted-dep:@slabcode/hubster-services | AI (dependencies): Same-org internal dependency; stable pattern across all versions of this package. | ai | |
| provenance | no-provenance | AI (provenance): Established internal package published via Bitbucket; provenance attestation not expected here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established internal library with 350 versions; sparse README is consistent with private/org-internal tooling. | ai | |
| phantom-deps | phantom-dep:mssql | AI (phantom-deps): mssql is a declared runtime dep used via config/convention in this ORM-based library; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/multer | AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/jsonwebtoken | AI (phantom-deps): Framework-scoped type package loaded by convention; stable false positive for this package. | ai |
Versions (showing 31 of 31)
| Version | Deps | Published |
|---|---|---|
| 1.24.18 | 19 / 13 | |
| 1.24.17 | 19 / 13 | |
| 1.24.16 | 19 / 13 | |
| 1.24.15 | 19 / 13 | |
| 1.24.14 | 19 / 13 | |
| 1.24.13 | 19 / 13 | |
| 1.24.12 | 19 / 13 | |
| 1.24.11 | 19 / 13 | |
| 1.24.8 | 19 / 13 | |
| 1.24.7 | 19 / 13 | |
| 1.24.5 | 19 / 13 | |
| 1.24.4 | 19 / 13 | |
| 1.24.3 | 19 / 13 | |
| 1.24.2 | 19 / 13 | |
| 1.24.0 | 19 / 13 | |
| 1.23.6 | 17 / 12 | |
| 1.23.5 | 17 / 12 | |
| 1.23.4 | 17 / 12 | |
| 1.23.2 | 17 / 12 | |
| 1.23.1 | 17 / 12 | |
| 1.23.0 | 17 / 12 | |
| 1.22.14 | 17 / 12 | |
| 1.22.8 | 17 / 12 | |
| 1.22.7 | 17 / 12 | |
| 1.22.6 | 17 / 12 | |
| 1.22.5 | 17 / 12 | |
| 1.22.4 | 17 / 12 | |
| 1.22.2 | 17 / 12 | |
| 1.22.1 | 17 / 12 | |
| 1.15.1 | 17 / 12 | |
| 1.14.3 | 17 / 12 |
v1.24.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.23.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.23.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.