← Home

@spscommerce/max

npm Repository Homepage
13
Versions
UNLICENSED
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jimthedevpixelfish22rena0601spsc_cafmacybuan

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:react-microsoft-clarity AI (dependencies): react-microsoft-clarity is a known Microsoft Clarity analytics wrapper; stable false positive for this package. ai
phantom-deps phantom-dep:react-router AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:eventemitter3 AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:react-markdown AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:moment-timezone AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:copy-to-clipboard AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:@sps-woodland/illustrations AI (phantom-deps): Component library pattern; deps declared for consumers, not directly imported in bundle entry. ai
phantom-deps phantom-dep:@react-stately/collections AI (phantom-deps): Component library pattern; dep declared for indirect use. ai
phantom-deps phantom-dep:@sps-woodland/tokens AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@sps-woodland/buttons AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@sps-woodland/growler AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@spscommerce/ds-react AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:@spscommerce/services AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:@spscommerce/ds-colors AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:@spscommerce/ds-styles AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:react-microsoft-clarity AI (phantom-deps): Analytics wrapper; component library pattern, stable false positive. ai
phantom-deps phantom-dep:react-textarea-autosize AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@sps-woodland/zero-state AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@spscommerce/positioning AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:@spscommerce/ds-shared AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:axios AI (phantom-deps): Component library pattern; deps declared for consumers, not necessarily directly imported in source. ai
phantom-deps phantom-dep:moment AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:rehype-raw AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:remark-gfm AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@spscommerce/i18n AI (phantom-deps): Same org scope; component library pattern. ai
phantom-deps phantom-dep:@sps-woodland/core AI (phantom-deps): Component library pattern; stable false positive for this package. ai
phantom-deps phantom-dep:@spscommerce/utils AI (phantom-deps): Same org scope; component library pattern. ai
typosquat typosquat.levenshtein:mobx AI (typosquat): Scoped org package @spscommerce/max; Levenshtein match to 'mobx' is coincidental, not a typosquat. ai

Versions (showing 13 of 13)

Version Deps Published
0.11.0 25 / 31
0.10.0 25 / 31
0.9.0 25 / 31
0.8.0 25 / 31
0.7.0 25 / 31
0.6.0 25 / 31
0.5.0 25 / 31
0.4.0 25 / 31
0.3.0 25 / 31
0.2.0 25 / 31
0.1.1 23 / 31
0.1.0 22 / 31
0.0.1 21 / 31

v0.11.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.