@vitessce/vit-s MIT 8 versions

@vitessce/vit-s

npm Repository Homepage

8

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

keller-mark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	no-description	AI (npm-metadata): Scoped monorepo sub-package; missing description is a known pattern, not a malware signal.	ai	2026/05/07
dependencies	unvetted-dep:@placemarkio/flat-drop-files	AI (dependencies): Legitimate file-drop utility from Placemark org; no malware indicators.	ai	2026/05/07
dependencies	unvetted-dep:react-grid-layout-with-lodash	AI (dependencies): Known fork of react-grid-layout with lodash-es; stable dependency for this package.	ai	2026/05/07
phantom-deps	phantom-dep:@vitessce/sets-utils	AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for monorepo packages.	ai	2026/05/02
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Common utility dep; may be used indirectly via re-exports in monorepo build.	ai	2026/05/02
typosquat	typosquat.levenshtein:vite	AI (typosquat): Scoped @vitessce org package; not a typosquat of vite. Stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:fast-deep-equal	AI (phantom-deps): Common utility; may be used via bundled output. Stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:jss-plugin-global	AI (phantom-deps): CSS-in-JS dep; may be referenced via config/build. Stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:zarrita	AI (phantom-deps): Zarr storage dep used in build/config context; stable false positive for this package.	ai	2026/05/02
typosquat	typosquat.levenshtein:vitest	AI (typosquat): Scoped @vitessce org package; not a typosquat of vitest. Stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@vitessce/plugins	AI (phantom-deps): Same-org sibling dep; phantom-dep heuristic unreliable for monorepo packages.	ai	2026/05/02

Versions (showing 8 of 8)

Version	Deps	Published
3.9.9	26 / 7	2026-05-20
3.9.8	26 / 7	2026-04-29
3.9.7	26 / 7	2026-04-10
3.9.3	26 / 7	2026-02-11
3.8.13	24 / 7	2025-12-14
3.8.8	24 / 7	2025-11-12
3.8.6	24 / 7	2025-11-10
3.6.9	22 / 7	2025-07-25

v3.9.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.9.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.8.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.6.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.