@stonecrop/atable
Advanced data table component for Stonecrop
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/stores/table.js | AI (source-diff): Standard Pinia/Vue store; no actual network calls or dynamic code execution in the sample. | ai | |
| source-diff | net-exec-file:dist/atable.umd.cjs | AI (source-diff): Sample shows standard Vue/Pinia UMD bundle with Google Fonts CSS import; no actual network-fetched code execution. | ai | |
| source-diff | net-exec-file:dist/src/stores/table.js | AI (source-diff): Sample shows legitimate Pinia store implementation with no network calls or dynamic code execution visible. | ai | |
| phantom-deps | phantom-dep:@stonecrop/themes | AI (phantom-deps): Same-org monorepo sibling; indirect consumption is expected in this build setup. | ai | |
| phantom-deps | phantom-dep:@stonecrop/utilities | AI (phantom-deps): Same-org monorepo sibling; indirect consumption is expected in this build setup. | ai | |
| phantom-deps | phantom-dep:@vueuse/components | AI (phantom-deps): Referenced in config files per finding; not a true phantom dep for this package. | ai |
Versions (showing 51 of 98)
| Version | Deps | Published |
|---|---|---|
| 0.13.8 | 5 / 18 | |
| 0.13.7 | 5 / 18 | |
| 0.13.6 | 5 / 18 | |
| 0.13.5 | 5 / 18 | |
| 0.13.4 | 5 / 22 | |
| 0.13.3 | 5 / 22 | |
| 0.13.2 | 5 / 22 | |
| 0.13.1 | 5 / 22 | |
| 0.13.0 | 5 / 22 | |
| 0.12.8 | 5 / 22 | |
| 0.12.7 | 5 / 22 | |
| 0.12.6 | 5 / 22 | |
| 0.12.5 | 5 / 22 | |
| 0.12.4 | 5 / 22 | |
| 0.12.3 | 5 / 22 | |
| 0.12.2 | 5 / 22 | |
| 0.12.1 | 5 / 22 | |
| 0.12.0 | 5 / 22 | |
| 0.11.10 | 4 / 22 | |
| 0.11.9 | 4 / 22 | |
| 0.11.8 | 4 / 22 | |
| 0.11.7 | 4 / 21 | |
| 0.11.6 | 4 / 21 | |
| 0.11.5 | 4 / 21 | |
| 0.10.16 | 4 / 21 | |
| 0.10.15 | 4 / 21 | |
| 0.10.14 | 4 / 21 | |
| 0.10.13 | 4 / 21 | |
| 0.10.12 | 4 / 21 | |
| 0.10.11 | 4 / 21 | |
| 0.10.10 | 4 / 21 | |
| 0.10.9 | 4 / 21 | |
| 0.10.8 | 4 / 21 | |
| 0.10.7 | 4 / 21 | |
| 0.10.6 | 4 / 21 | |
| 0.10.5 | 4 / 21 | |
| 0.10.4 | 4 / 21 | |
| 0.10.3 | 4 / 21 | |
| 0.10.2 | 4 / 21 | |
| 0.10.1 | 4 / 21 | |
| 0.10.0 | 4 / 21 | |
| 0.9.2 | 4 / 21 | |
| 0.9.1 | 4 / 21 | |
| 0.9.0 | 4 / 21 | |
| 0.8.13 | 6 / 19 | |
| 0.8.12 | 6 / 19 | |
| 0.8.11 | 6 / 19 | |
| 0.8.10 | 6 / 19 | |
| 0.8.9 | 6 / 19 | |
| 0.8.8 | 6 / 19 | |
| 0.8.7 | 6 / 19 |
v0.13.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alchez) than the most recent previously approved version (knuckledown) on 2026-05-28, but alchez is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.13.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alchez) than the most recent previously approved version (knuckledown) on 2026-05-28, but alchez is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v0.13.0
4 findingsThis version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.10
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.9
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.8
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.