← Home

@valtimo/layout

npm
11
Versions
EUPL-1.2
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devops-ritense

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata no-description AI (npm-metadata): Scoped package with long history; missing description is metadata gap, not malware signal. ai
provenance no-provenance AI (provenance): Provenance attestation is a best-practice recommendation, not a blocker for established packages. ai
source-diff obfuscated-file:esm2022/lib/translation-management.module.mjs AI (source-diff): Standard Angular compiler output; long lines from inline metadata, not obfuscation. ai
source-diff obfuscated-file:esm2022/lib/components/translation-management/translation-management.component.mjs AI (source-diff): Standard Angular compiler output; long lines from inline metadata, not obfuscation. ai
source-diff obfuscated-file:esm2022/lib/translation-management-routing.module.mjs AI (source-diff): Standard Angular compiler output; long lines from inline metadata, not obfuscation. ai
source-diff obfuscated-file:esm2022/lib/layout.module.mjs AI (source-diff): Standard Angular compiler output; long lines from inline metadata, not obfuscation. ai
source-diff obfuscated-file:esm2022/lib/components/layout/layout.component.mjs AI (source-diff): Standard Angular compiler output; long lines from inline metadata, not obfuscation. ai
source-diff obfuscated-file:esm2022/lib/components/layout-internal/layout-internal.component.mjs AI (source-diff): Standard Angular compiler output with ɵɵngDeclare* metadata; long lines are not obfuscation. ai
source-diff source-size-dropped AI (source-diff): Size drop explained by removal of large `ol` (OpenLayers) dependency. ai
source-diff source-size-tripled AI (source-diff): 4x size increase explained by bundling ol (OpenLayers), a large but legitimate mapping library. ai
publish-pattern new-deps-added AI (publish-pattern): ol is a well-established open-source mapping library; addition is intentional and benign. ai
source-diff large-new-source-files AI (source-diff): Size increase attributable to OpenLayers (ol) dependency addition; not injected payload. ai
bogus-package bogus-package AI (bogus-package): Scoped org package with 167 versions and 1617 days of history; missing metadata is cosmetic, not indicative of malice. ai
dependencies unvetted-dep:select2 AI (dependencies): select2 is a well-known jQuery UI plugin; stable dependency for this layout package. ai
dependencies unvetted-dep:@foxythemes/bootstrap-datetime-picker-bs4 AI (dependencies): Bootstrap datetime picker; consistent with layout/UI package purpose. ai
dependencies unvetted-dep:components-jqueryui AI (dependencies): components-jqueryui is the official jQuery UI package; expected for a layout library. ai
phantom-deps phantom-dep:perfect-scrollbar AI (phantom-deps): UI utility referenced in config; stable false positive for this layout package. ai
phantom-deps phantom-dep:csp-header AI (phantom-deps): Referenced in config files; consistent with Angular build output pattern. ai
phantom-deps phantom-dep:popper.js AI (phantom-deps): Bootstrap companion; referenced in config, not direct TS import. ai
phantom-deps phantom-dep:bootstrap AI (phantom-deps): CSS framework referenced in config/SCSS; stable false positive for this layout package. ai
phantom-deps phantom-dep:select2 AI (phantom-deps): UI library referenced in config files; expected pattern for Angular layout package. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a standard Angular/TypeScript runtime implicit dep; stable false positive for this package. ai
phantom-deps phantom-dep:moment AI (phantom-deps): Referenced in config/SCSS, not direct TS import; consistent with Angular library build output. ai
phantom-deps phantom-dep:@foxythemes/bootstrap-datetime-picker-bs4 AI (phantom-deps): Date picker referenced in config; stable false positive for this layout package. ai
phantom-deps phantom-dep:components-jqueryui AI (phantom-deps): jQuery UI referenced in config/SCSS; expected for this layout package. ai

Versions (showing 11 of 11)

Version Deps Published
13.31.0 12 / 0
13.29.0 12 / 0
13.28.1 12 / 0
13.28.0 12 / 0
13.23.0 12 / 0
12.36.0 11 / 0
12.35.0 11 / 0
12.34.0 11 / 0
12.33.1 11 / 0
12.33.0 11 / 0
12.30.0 11 / 0

v13.31.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.29.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.28.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.28.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.23.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.36.0

7 findings
HIGH New obfuscated file: esm2022/lib/components/layout-internal/layout-internal.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/lib/components/layout/layout.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/lib/layout.module.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/lib/translation-management-routing.module.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/lib/components/translation-management/translation-management.component.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: esm2022/lib/translation-management.module.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.35.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.34.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.33.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v12.33.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v12.30.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.