@syntrologie/runtime-sdk
Syntrologie Runtime SDK for web experimentation and analytics
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/adaptives/adaptive-viz/index.js | AI (source-diff): Long strings in bundled output are typical of minified third-party libs (e.g. JSON Patch); no payload indicators. | ai | |
| source-diff | obfuscated-file:dist/adaptives/adaptive-product/index.js | AI (source-diff): Minified esbuild bundle output; sample shows standard Zod/Lit exports, not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:@syntrologie/adapt-faq | AI (phantom-deps): Same-org package; likely used indirectly via re-exports or dynamic loading within the SDK. | ai | |
| phantom-deps | phantom-dep:@syntrologie/adapt-gamification | AI (phantom-deps): Same-org package; likely used indirectly via re-exports or dynamic loading within the SDK. | ai | |
| phantom-deps | phantom-dep:@syntrologie/adapt-chatbot | AI (phantom-deps): Same-org package; likely used indirectly via re-exports or dynamic loading within the SDK. | ai | |
| phantom-deps | phantom-dep:@syntrologie/adapt-nav | AI (phantom-deps): Same-org package; likely used indirectly via re-exports or dynamic loading within the SDK. | ai | |
| source-diff | obfuscated-file:dist/adaptives/adaptive-chatbot/index.js | AI (source-diff): Standard esbuild minified Lit component output; matches declared build toolchain. | ai | |
| source-diff | obfuscated-file:dist/adaptives/adaptive-feedback/index.js | AI (source-diff): Standard esbuild minified Lit component output; matches declared build toolchain. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): High-frequency automated releases (375 versions); rapid publish is expected pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/adaptives/adaptive-mcp/index.js | AI (source-diff): esbuild-minified bundle with source maps; standard SDK build artifact, not obfuscated malware. | ai | |
| source-diff | net-exec-file:dist/adaptives/adaptive-mcp/index.js | AI (source-diff): Network calls and dynamic property access in a minified SDK bundle; no dropper/loader pattern evident. | ai | |
| source-diff | net-exec-file:dist/adaptives/adaptive-viz/index.js | AI (source-diff): Network calls and dynamic property access in a minified SDK bundle; no dropper/loader pattern evident. | ai | |
| source-diff | obfuscated-file:dist/adaptives/adaptive-viz/index.js | AI (source-diff): esbuild-minified bundle with source maps; standard SDK build artifact, not obfuscated malware. | ai | |
| dependencies | unvetted-dep:lit | AI (dependencies): lit is a well-known Google-maintained web components library; its inclusion is expected for SDK packages using web components. | ai | |
| phantom-deps | phantom-dep:@lit/task | AI (phantom-deps): Declared dep likely bundled into dist output; phantom-dep finding is a false positive for this bundled SDK package. | ai | |
| phantom-deps | phantom-dep:@growthbook/growthbook-react | AI (phantom-deps): Declared dep likely bundled or conditionally imported; phantom-dep finding is a false positive for this bundled SDK package. | ai | |
| phantom-deps | phantom-dep:@lit/context | AI (phantom-deps): Declared dep likely bundled into dist output; phantom-dep finding is a false positive for this bundled SDK package. | ai |
Versions (showing 48 of 48)
| Version | Deps | Published |
|---|---|---|
| 2.28.0 | 8 / 17 | |
| 2.27.0 | 8 / 17 | |
| 2.26.0 | 8 / 17 | |
| 2.25.2 | 8 / 17 | |
| 2.25.1 | 8 / 17 | |
| 2.25.0 | 8 / 17 | |
| 2.24.3 | 8 / 17 | |
| 2.24.2 | 8 / 17 | |
| 2.24.1 | 8 / 17 | |
| 2.24.0 | 8 / 17 | |
| 2.23.0 | 8 / 17 | |
| 2.22.0 | 8 / 17 | |
| 2.21.0 | 8 / 17 | |
| 2.20.0 | 8 / 17 | |
| 2.19.0 | 8 / 17 | |
| 2.18.0 | 7 / 17 | |
| 2.17.0 | 7 / 17 | |
| 2.16.0 | 9 / 22 | |
| 2.15.0 | 9 / 22 | |
| 2.14.0 | 6 / 20 | |
| 2.13.0 | 6 / 20 | |
| 2.12.0 | 6 / 20 | |
| 2.8.0 | 12 / 20 | |
| 2.7.0 | 12 / 20 | |
| 2.6.0 | 12 / 20 | |
| 2.5.1 | 12 / 20 | |
| 2.4.0 | 11 / 20 | |
| 2.3.0 | 11 / 20 | |
| 0.2.21 | 7 / 5 | |
| 0.2.20 | 7 / 5 | |
| 0.2.19 | 7 / 5 | |
| 0.2.18 | 7 / 5 | |
| 0.2.17 | 7 / 5 | |
| 0.2.16 | 7 / 5 | |
| 0.2.15 | 7 / 5 | |
| 0.2.14 | 7 / 5 | |
| 0.2.13 | 7 / 5 | |
| 0.2.12 | 7 / 5 | |
| 0.2.11 | 7 / 5 | |
| 0.2.10 | 7 / 5 | |
| 0.2.9 | 7 / 5 | |
| 0.2.8 | 7 / 5 | |
| 0.2.7 | 7 / 5 | |
| 0.2.6 | 7 / 5 | |
| 0.2.4 | 7 / 5 | |
| 0.2.3 | 7 / 5 | |
| 0.2.1 | 7 / 2 | |
| 0.2.0 | 7 / 2 |
v2.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.26.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.19.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.15.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.