← Home

@tsparticles/engine

npm Repository Homepage
7
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ar3smatteobruni

Keywords

front-endfrontendtsparticlesparticles.jsparticlesjsparticlesparticlecanvasjsparticlesxparticlesparticles-jsparticles-bgparticles-bg-vueparticles-tsparticles.tsreact-particles-jsreact-particles.jsreact-particlesreactreactjsvue-particlesngx-particlesangular-particlesparticlegroundvuevuejspreactpreactjsjqueryangularjsangulartypescriptjavascriptanimationwebhtml5web-designwebdesigncsshtmlcss3animatedbackgroundconfetticanvasfireworksfireworks-jsconfetti-jsconfettijsfireworksjscanvas-confetti

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Major version restructuring; no suspicious content, consistent with v4 release. ai
provenance publisher-changed AI (provenance): Transition from personal account to GitHub Actions CI/CD publishing with SLSA provenance; expected for this repo. ai
semgrep semgrep:eval-usage AI (semgrep): Webpack eval source-map pattern in bundled UMD output; not malicious. ai
install-scripts install-script:install AI (install-scripts): Script reads consumer package.json for config; stable pattern across tsparticles releases. ai
semgrep semgrep:dynamic-require AI (semgrep): Reads INIT_CWD/package.json for install config; not arbitrary module loading. ai

Versions (showing 7 of 7)

Version Deps Published
4.0.4 0 / 0
4.0.3 0 / 0
4.0.2 0 / 0
4.0.1 0 / 0
4.0.0 0 / 0
3.9.1 0 / 0
3.9.0 0 / 0

v4.0.4

2 findings
HIGH Publisher changed: matteobruni → GitHub Actions (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

2 findings
HIGH Publisher changed: matteobruni → GitHub Actions (on 2026-05-18) provenance

This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

2 findings
HIGH Publisher changed: matteobruni → GitHub Actions (on 2026-05-16) provenance

This version was published by a different npm account than previous versions on 2026-05-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

2 findings
HIGH Publisher changed: matteobruni → GitHub Actions (on 2026-05-16) provenance

This version was published by a different npm account than previous versions on 2026-05-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

2 findings
HIGH Publisher changed: matteobruni → GitHub Actions (on 2026-05-15) provenance

This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.