@trustpayments/js-payments-card

TypeScript Payment Card

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

stdevapijames-simpson-stllifon-jones-tp

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:promise-polyfill	AI (phantom-deps): Declared runtime dep used via webpack bundle, not directly imported in source.	ai	2026/05/26
phantom-deps	phantom-dep:terser-webpack-plugin	AI (phantom-deps): Build-time dep referenced in webpack config, not directly imported in source.	ai	2026/05/26
phantom-deps	phantom-dep:ie-array-find-polyfill	AI (phantom-deps): Polyfill loaded via webpack/config for IE11 support, not directly imported.	ai	2026/05/26
provenance	no-provenance	AI (provenance): Established org package with consistent publish history; lack of Sigstore attestation is not a disqualifier here.	ai	2026/05/22
install-scripts	install-script:preinstall	AI (install-scripts): npx force-resolutions is a standard dependency-resolution enforcement tool; stable pattern for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@trustpayments/ts-luhn-check	AI (phantom-deps): Same-org package; likely consumed indirectly within the bundle.	ai	2026/04/29
phantom-deps	phantom-dep:core-js	AI (phantom-deps): core-js is a known implicit polyfill dependency; not directly imported by convention.	ai	2026/04/29
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Framework-scoped runtime dep loaded by transpiler convention, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@trustpayments/ts-iin-lookup	AI (phantom-deps): Same-org package; likely consumed indirectly within the bundle.	ai	2026/04/29