@thi.ng/ecs
Entity Component System based around typed arrays & sparse sets
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @thi.ng/ecs package from established monorepo; Levenshtein match to 'qs' is a false positive. | ai | |
| dependencies | unvetted-dep:@thi.ng/api | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo; not an independent supply-chain risk. | ai | |
| dependencies | unvetted-dep:@thi.ng/dcons | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai | |
| dependencies | unvetted-dep:@thi.ng/idgen | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai | |
| dependencies | unvetted-dep:@thi.ng/binary | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai | |
| dependencies | unvetted-dep:@thi.ng/malloc | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai | |
| dependencies | unvetted-dep:@thi.ng/associative | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai | |
| dependencies | unvetted-dep:@thi.ng/transducers | AI (dependencies): Sibling package from the same thi.ng/umbrella monorepo. | ai |
Versions (showing 48 of 48)
| Version | Deps | Published |
|---|---|---|
| 0.7.215 | 10 / 4 | |
| 0.7.214 | 10 / 4 | |
| 0.7.213 | 10 / 4 | |
| 0.7.211 | 10 / 4 | |
| 0.7.210 | 10 / 4 | |
| 0.7.208 | 10 / 4 | |
| 0.7.207 | 10 / 4 | |
| 0.7.206 | 10 / 4 | |
| 0.7.205 | 10 / 4 | |
| 0.7.204 | 10 / 4 | |
| 0.7.203 | 10 / 4 | |
| 0.7.202 | 10 / 4 | |
| 0.7.201 | 10 / 4 | |
| 0.7.200 | 10 / 4 | |
| 0.7.198 | 10 / 4 | |
| 0.7.197 | 10 / 4 | |
| 0.7.196 | 10 / 4 | |
| 0.7.195 | 10 / 4 | |
| 0.7.194 | 10 / 4 | |
| 0.7.193 | 10 / 4 | |
| 0.7.192 | 10 / 4 | |
| 0.7.191 | 10 / 4 | |
| 0.7.190 | 10 / 4 | |
| 0.7.189 | 10 / 4 | |
| 0.7.188 | 10 / 4 | |
| 0.7.184 | 10 / 4 | |
| 0.7.183 | 10 / 4 | |
| 0.7.182 | 10 / 4 | |
| 0.7.181 | 10 / 4 | |
| 0.7.180 | 10 / 4 | |
| 0.7.179 | 10 / 4 | |
| 0.7.178 | 10 / 4 | |
| 0.7.176 | 10 / 4 | |
| 0.7.175 | 10 / 4 | |
| 0.7.174 | 10 / 4 | |
| 0.7.173 | 10 / 4 | |
| 0.7.172 | 10 / 4 | |
| 0.7.171 | 10 / 4 | |
| 0.7.170 | 10 / 4 | |
| 0.7.169 | 11 / 4 | |
| 0.7.168 | 11 / 4 | |
| 0.7.167 | 11 / 4 | |
| 0.7.166 | 11 / 4 | |
| 0.7.165 | 11 / 4 | |
| 0.7.164 | 11 / 4 | |
| 0.7.163 | 11 / 4 | |
| 0.7.162 | 11 / 4 | |
| 0.7.161 | 11 / 4 |
v0.7.215
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.214
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.213
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.211
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.210
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.208
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.205
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.204
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.203
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.202
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.201
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.200
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.198
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.197
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.196
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.195
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.194
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.193
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.192
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.191
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.190
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.189
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.188
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.184
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.183
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.182
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.181
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.180
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.179
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.178
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.176
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.175
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.174
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.173
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.172
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.171
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.170
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.169
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.168
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.167
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.166
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.165
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.164
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.163
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.162
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.161
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.