@telia-ace/widget-components-copyright-flamingo
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:copyright-CbKrN8bA.js | AI (source-diff): Minified build artifact from an established widget component pipeline; no malicious patterns in sampled code. | ai | |
| source-diff | obfuscated-file:copyright-0FDIxl4o.js | AI (source-diff): Minified build artifact; content is standard RxJS/Lit bundle output, not obfuscated malware. Consistent across 740 versions. | ai | |
| source-diff | obfuscated-file:copyright-BL_b6pIc.js | AI (source-diff): File is a standard Rollup/Vite CJS bundle; minified but not obfuscated — normal build output for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal org package (@telia-ace scope) with 740 versions; sparse metadata is a consistent pattern across the package family, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:@telia-ace/widget-core-flamingo | AI (phantom-deps): Same org-scope sibling dependency; phantom-dep heuristic is a stable false positive for this package family. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Consistent with the @telia-ace internal package pattern across all 740 versions. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common; no other risk signals present to elevate this. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 1.1.138 | 2 / 0 | |
| 1.1.137 | 2 / 0 | |
| 1.1.136 | 2 / 0 | |
| 1.1.135 | 2 / 0 | |
| 1.1.134 | 2 / 0 | |
| 1.1.133 | 2 / 0 | |
| 1.1.132 | 2 / 0 | |
| 1.1.131 | 2 / 0 | |
| 1.1.130 | 2 / 0 | |
| 1.1.129 | 2 / 0 | |
| 1.1.128 | 2 / 0 | |
| 1.1.127 | 2 / 0 | |
| 1.1.126 | 2 / 0 | |
| 1.1.125 | 2 / 0 | |
| 1.1.124 | 2 / 0 | |
| 1.1.123 | 2 / 0 | |
| 1.1.121 | 2 / 0 | |
| 1.1.120 | 2 / 0 | |
| 1.1.119 | 2 / 0 | |
| 1.1.118 | 2 / 0 | |
| 1.1.117 | 2 / 0 | |
| 1.1.116 | 2 / 0 |
v1.1.138
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.137
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.136
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.135
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.134
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.133
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.132
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.131
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.130
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.129
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.128
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.127
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.126
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.125
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.124
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.123
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.121
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.120
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.118
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.117
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.116
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.