← Home

@strapi/core

npm Repository Homepage

Core of Strapi

12
Versions
SEE LICENSE IN LICENSE
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pierreburgyaurelsicokoalexandrebodinconvlynico-strapistrapi.adzouzbaronvoninternetmarc-roig-strapijhoward1994bassel17

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:copyfiles AI (phantom-deps): Copyfiles is a build tool declared in dependencies and used in build scripts; phantom-dep pattern is expected for CLI/build tooling. ai
provenance no-provenance AI (provenance): Lack of provenance is common (88% of npm); not a disqualifier for established packages from trusted publishers. ai
phantom-deps phantom-dep:@strapi/generators AI (phantom-deps): Same-org @strapi/* package; used indirectly via CLI or dynamic imports in the Strapi monorepo. ai
phantom-deps phantom-dep:commander AI (phantom-deps): Large monorepo packages commonly declare CLI/build deps that are used indirectly or in tooling scripts. ai
phantom-deps phantom-dep:typescript AI (phantom-deps): TypeScript is used as a build-time dependency in Strapi's monorepo; phantom detection is expected. ai
dependencies unvetted-dep:koa-ip AI (dependencies): koa-ip is a standard Koa middleware for IP filtering; appropriate dependency for a web framework core. ai
dependencies unvetted-dep:@koa/cors AI (dependencies): @koa/cors is the official CORS middleware for Koa, maintained by the Koa org; appropriate for a web framework. ai
dependencies unvetted-dep:koa-helmet AI (dependencies): koa-helmet is a well-known security middleware for Koa; appropriate for a web framework core. ai
dependencies unvetted-dep:koa-session AI (dependencies): koa-session is a standard session middleware for Koa; appropriate for a web framework core. ai
dependencies unvetted-dep:@vercel/stega AI (dependencies): @vercel/stega is a known Vercel utility for steganographic encoding; legitimate dependency for Strapi's draft/preview features. ai
phantom-deps phantom-dep:ora AI (phantom-deps): Large monorepo packages commonly declare CLI/build deps that are used indirectly or in tooling scripts. ai
phantom-deps phantom-dep:execa AI (phantom-deps): Large monorepo packages commonly declare CLI/build deps that are used indirectly or in tooling scripts. ai
phantom-deps phantom-dep:pkg-up AI (phantom-deps): Large monorepo packages commonly declare CLI/build deps that are used indirectly or in tooling scripts. ai
phantom-deps phantom-dep:inquirer AI (phantom-deps): Large monorepo packages commonly declare CLI/build deps that are used indirectly or in tooling scripts. ai
bogus-package bogus-package AI (bogus-package): @strapi/core is the core of the well-known Strapi headless CMS. Short README and no keywords are cosmetic issues, not spam indicators. ai
typosquat typosquat.levenshtein:cors AI (typosquat): @strapi/core is the legitimate Strapi framework core package, not a typosquat of 'cors'. The Levenshtein match is coincidental; the packages are entirely unrelated. ai

Versions (showing 12 of 12)

Version Deps Published
5.47.1 57 / 24
5.47.0 57 / 25
5.46.1 55 / 25
5.46.0 55 / 25
5.45.1 55 / 25
5.45.0 55 / 25
5.44.0 55 / 25
5.43.0 55 / 25
5.36.1 56 / 25
5.36.0 56 / 23
5.30.0 56 / 23
5.25.0 56 / 23

v5.47.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.47.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.46.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.46.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.45.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.45.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.43.0

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@strapi/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.36.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.36.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.30.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.