@tscircuit/core
The core logic used to build Circuit JSON from tscircuit React elements.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:@tscircuit/jlcpcb-manufacturing-specs | AI (npm-metadata): SHA-pinned dep is in devDependencies pointing to same org; not included in published dist, stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@flatten-js/core | AI (phantom-deps): Declared dependency used in config; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:calculate-cell-boundaries | AI (dependencies): Fits tscircuit geometry utility pattern; publisher has strong track record and this is a domain-appropriate dep. | ai | |
| dependencies | unvetted-dep:react-reconciler-18 | AI (dependencies): react-reconciler-18 is a version alias for [email protected], a standard React dual-version support pattern for this package. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): nanoid is declared and used; phantom-dep rule is a false positive for config-referenced dependencies. | ai | |
| phantom-deps | phantom-dep:performance-now | AI (phantom-deps): performance-now is declared and used; phantom-dep rule is a false positive for config-referenced dependencies. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @tscircuit/core is a scoped package in the tscircuit ecosystem (circuit design framework), not a typosquat of 'cors'. The name similarity is purely coincidental; no brand impersonation. | ai | |
| dependencies | unvetted-dep:transformation-matrix | AI (dependencies): Matrix transformation library; appropriate for 2D coordinate transforms in circuit layout. | ai | |
| dependencies | unvetted-dep:@lume/kiwi | AI (dependencies): Legitimate constraint-solving library appropriate for circuit layout; no security concerns. | ai | |
| dependencies | unvetted-dep:format-si-unit | AI (dependencies): Small utility for SI unit formatting; appropriate for electronics tooling. | ai | |
| dependencies | unvetted-dep:@flatten-js/core | AI (dependencies): Geometry library for 2D operations; appropriate for circuit/PCB layout. | ai | |
| dependencies | unvetted-dep:calculate-packing | AI (dependencies): Packing algorithm library; appropriate for component placement in circuit design. | ai | |
| dependencies | unvetted-dep:svg-path-commander | AI (dependencies): SVG path manipulation library; appropriate for circuit-to-SVG rendering. | ai |
Versions (showing 51 of 755)
| Version | Deps | Published |
|---|---|---|
| 0.0.1300 | 12 / 62 | |
| 0.0.1299 | 12 / 62 | |
| 0.0.1298 | 12 / 62 | |
| 0.0.1297 | 12 / 62 | |
| 0.0.1296 | 12 / 62 | |
| 0.0.1295 | 12 / 62 | |
| 0.0.1294 | 12 / 62 | |
| 0.0.1293 | 12 / 62 | |
| 0.0.1292 | 12 / 62 | |
| 0.0.1291 | 12 / 62 | |
| 0.0.1290 | 12 / 62 | |
| 0.0.1289 | 12 / 62 | |
| 0.0.1288 | 12 / 62 | |
| 0.0.1287 | 12 / 62 | |
| 0.0.1286 | 12 / 62 | |
| 0.0.1285 | 12 / 62 | |
| 0.0.1284 | 12 / 62 | |
| 0.0.1283 | 12 / 62 | |
| 0.0.1282 | 12 / 62 | |
| 0.0.1281 | 12 / 62 | |
| 0.0.1280 | 12 / 62 | |
| 0.0.1279 | 12 / 62 | |
| 0.0.1278 | 12 / 62 | |
| 0.0.1277 | 12 / 61 | |
| 0.0.1276 | 12 / 61 | |
| 0.0.1275 | 12 / 61 | |
| 0.0.1274 | 12 / 60 | |
| 0.0.1273 | 12 / 60 | |
| 0.0.1272 | 12 / 60 | |
| 0.0.1271 | 12 / 60 | |
| 0.0.1270 | 12 / 60 | |
| 0.0.1269 | 12 / 60 | |
| 0.0.1268 | 12 / 60 | |
| 0.0.1267 | 12 / 60 | |
| 0.0.1266 | 12 / 60 | |
| 0.0.1265 | 12 / 60 | |
| 0.0.1264 | 12 / 60 | |
| 0.0.1263 | 12 / 60 | |
| 0.0.1262 | 12 / 60 | |
| 0.0.1261 | 12 / 60 | |
| 0.0.1258 | 12 / 60 | |
| 0.0.1257 | 12 / 60 | |
| 0.0.1256 | 12 / 60 | |
| 0.0.1255 | 12 / 60 | |
| 0.0.1254 | 12 / 60 | |
| 0.0.1253 | 12 / 60 | |
| 0.0.1252 | 12 / 60 | |
| 0.0.1251 | 12 / 59 | |
| 0.0.1250 | 12 / 59 | |
| 0.0.1249 | 12 / 59 | |
| 0.0.1248 | 12 / 59 |
v0.0.1300
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1299
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1298
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1297
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1296
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1295
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1294
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1293
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1292
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1291
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1290
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1289
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1288
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1287
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1286
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1285
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1284
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1283
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1282
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1281
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1280
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1279
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1278
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1277
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1276
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1275
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1274
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1273
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1272
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1271
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1270
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1269
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1268
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1267
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1266
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1265
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1264
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1263
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1262
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1261
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1258
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1257
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1256
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1255
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1254
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1253
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1252
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1251
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1250
2 findingsDependency '@tscircuit/jlcpcb-manufacturing-specs' in `devDependencies` points to 'git+https://github.com/tscircuit/jlcpcb-manufacturing-specs.git#e08af159db01a37db007e33f0a7268d0e4a279a5' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1249
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1248
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.