@supernova-studio/pulsar-core

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

artufimtcevoskar_koristkasupernova-cijiritrecaksusergiiseva-supernovamatej.bobeksn-filipdanisko

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): punycode is a well-known stdlib polyfill; no malicious indicators in this addition.	ai	2026/06/04
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publisher is consistent with org automation; stable for this package going forward.	ai	2026/06/03
maintainer-change	maintainer-added	AI (maintainer-change): sn-filipdanisko addition aligns with the org's CI migration; no malicious indicators.	ai	2026/06/03
bogus-package	bogus-package	AI (bogus-package): Established 350-version package; sparse README/keywords are a known pattern for this SDK component.	ai	2026/06/03
phantom-deps	phantom-dep:dot-prop	AI (phantom-deps): dot-prop declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:ts-dedent	AI (phantom-deps): ts-dedent declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:jsep	AI (phantom-deps): jsep is declared in dependencies and used via config; phantom-dep heuristic false positive for this package.	ai	2026/05/20
phantom-deps	phantom-dep:@jsep-plugin/object	AI (phantom-deps): @jsep-plugin/object declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:@jsep-plugin/ternary	AI (phantom-deps): @jsep-plugin/ternary declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:async-mutex	AI (phantom-deps): async-mutex declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:uuid	AI (phantom-deps): uuid declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:lodash	AI (phantom-deps): lodash declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20
phantom-deps	phantom-dep:moment	AI (phantom-deps): moment declared in dependencies; phantom-dep heuristic false positive.	ai	2026/05/20

Versions (showing 38 of 38)

Version	Deps	Published
2.7.23	24 / 28	2026-06-02
2.7.21	24 / 28	2026-05-18
2.7.20	24 / 28	2026-05-15
2.7.19	24 / 28	2026-03-27
2.7.18	24 / 28	2026-03-27
2.7.17	24 / 28	2026-03-26
2.7.15	24 / 28	2026-03-20
2.7.14	25 / 28	2026-03-19
2.7.13	24 / 28	2026-03-15
2.7.12	24 / 28	2026-03-10
2.7.10	24 / 28	2026-01-30
2.7.9	24 / 28	2026-01-05
2.7.8	24 / 28	2025-12-17
2.7.7	24 / 28	2025-12-17
2.7.6	24 / 28	2025-11-24
2.7.5	24 / 28	2025-11-14
2.7.4	24 / 28	2025-08-18
2.7.3	24 / 28	2025-06-20
2.7.2	24 / 28	2025-06-20
2.7.1	24 / 28	2025-06-19
2.7.0	24 / 28	2025-06-18
2.6.33	24 / 28	2025-06-15
2.6.32	24 / 28	2025-06-12
2.6.31	24 / 28	2025-06-02
2.6.29	24 / 28	2025-06-02
2.6.28	24 / 28	2025-06-02
2.6.27	24 / 28	2025-05-30
2.6.25	24 / 28	2025-05-28
2.6.24	24 / 28	2025-05-28
2.6.23	24 / 28	2025-05-28
2.6.22	24 / 28	2025-05-28
2.6.21	24 / 28	2025-05-28
2.6.20	24 / 28	2025-05-23
2.6.19	24 / 28	2025-05-23
2.6.18	24 / 28	2025-05-23
2.6.17	24 / 28	2025-05-21
2.6.16	24 / 28	2025-05-21
2.6.15	24 / 28	2025-05-20

v2.7.23

2 findings

HIGH Publisher changed: susergii → GitHub Actions (on 2026-06-02) provenance

This version was published by a different npm account than previous versions on 2026-06-02. This could indicate a legitimate maintainer transition or an account compromise.