@thi.ng/webgl-msdf
Multi-channel SDF font rendering & basic text layout for WebGL
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Long-established thi.ng/umbrella monorepo; no provenance is consistent across all its packages. | ai |
Versions (showing 51 of 57)
| Version | Deps | Published |
|---|---|---|
| 2.1.258 | 6 / 3 | |
| 2.1.257 | 6 / 3 | |
| 2.1.256 | 6 / 3 | |
| 2.1.254 | 6 / 3 | |
| 2.1.253 | 6 / 3 | |
| 2.1.251 | 6 / 3 | |
| 2.1.250 | 6 / 3 | |
| 2.1.249 | 6 / 3 | |
| 2.1.248 | 6 / 3 | |
| 2.1.247 | 6 / 3 | |
| 2.1.246 | 6 / 3 | |
| 2.1.245 | 6 / 3 | |
| 2.1.244 | 6 / 3 | |
| 2.1.243 | 6 / 3 | |
| 2.1.242 | 6 / 3 | |
| 2.1.241 | 6 / 3 | |
| 2.1.239 | 6 / 3 | |
| 2.1.238 | 6 / 3 | |
| 2.1.237 | 6 / 3 | |
| 2.1.236 | 6 / 3 | |
| 2.1.235 | 6 / 3 | |
| 2.1.234 | 6 / 3 | |
| 2.1.233 | 6 / 3 | |
| 2.1.231 | 6 / 3 | |
| 2.1.230 | 6 / 3 | |
| 2.1.229 | 6 / 3 | |
| 2.1.228 | 6 / 3 | |
| 2.1.227 | 6 / 3 | |
| 2.1.223 | 6 / 3 | |
| 2.1.222 | 6 / 3 | |
| 2.1.221 | 6 / 3 | |
| 2.1.220 | 6 / 3 | |
| 2.1.219 | 6 / 3 | |
| 2.1.218 | 6 / 3 | |
| 2.1.217 | 6 / 3 | |
| 2.1.216 | 6 / 3 | |
| 2.1.215 | 6 / 3 | |
| 2.1.214 | 6 / 3 | |
| 2.1.213 | 6 / 3 | |
| 2.1.212 | 6 / 3 | |
| 2.1.211 | 6 / 3 | |
| 2.1.209 | 6 / 3 | |
| 2.1.208 | 6 / 3 | |
| 2.1.207 | 6 / 3 | |
| 2.1.206 | 6 / 3 | |
| 2.1.205 | 6 / 3 | |
| 2.1.204 | 6 / 3 | |
| 2.1.203 | 6 / 3 | |
| 2.1.202 | 6 / 3 | |
| 2.1.201 | 6 / 3 | |
| 2.1.200 | 6 / 3 |
v2.1.258
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.257
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.256
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.254
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.253
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.251
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.249
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.248
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.247
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.246
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.245
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.244
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.243
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.242
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.241
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.239
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.238
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.237
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.236
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.235
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.234
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.233
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.231
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.230
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.229
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.228
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.227
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.223
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.222
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.221
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.220
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.219
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.218
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.217
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.216
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.215
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.214
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.213
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.212
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.211
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.209
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.208
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.207
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.206
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.205
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.204
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.203
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.202
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.201
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.200
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.