@wangeditor-next/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/upload.js | AI (source-diff): Standard Rollup minified bundle for the new upload subpath export; source maps included, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/upload.mjs | AI (source-diff): Standard Rollup ESM minified bundle for the new upload subpath export; source maps included, no malicious patterns. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established editor core package; sparse README/no keywords is a stable cosmetic trait, not a spam indicator. | ai | |
| phantom-deps | phantom-dep:scroll-into-view-if-needed | AI (phantom-deps): Bundled rollup build; deps are inlined and not directly imported in source. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped editor package; name similarity to 'cors' is coincidental, not a squatting attempt. | ai | |
| phantom-deps | phantom-dep:@types/event-emitter | AI (phantom-deps): Type-only package; not imported at runtime, loaded by convention. | ai | |
| phantom-deps | phantom-dep:slate-history | AI (phantom-deps): Bundled rollup build; deps are inlined and not directly imported in source. | ai | |
| phantom-deps | phantom-dep:html-void-elements | AI (phantom-deps): Bundled rollup build; deps are inlined and not directly imported in source. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 1.9.4 | 6 / 4 | |
| 1.9.3 | 6 / 4 | |
| 1.9.2 | 6 / 4 | |
| 1.9.1 | 6 / 4 | |
| 1.9.0 | 6 / 4 | |
| 1.8.5 | 6 / 4 | |
| 1.8.4 | 6 / 4 | |
| 1.8.3 | 6 / 4 | |
| 1.8.2 | 6 / 4 | |
| 1.8.1 | 6 / 4 | |
| 1.8.0 | 6 / 2 | |
| 1.7.51 | 6 / 2 | |
| 1.7.50 | 6 / 2 | |
| 1.7.49 | 6 / 2 | |
| 1.7.48 | 6 / 2 | |
| 1.7.47 | 6 / 2 | |
| 1.7.46 | 6 / 2 | |
| 1.7.44 | 6 / 2 | |
| 1.7.43 | 6 / 2 | |
| 1.7.41 | 6 / 2 | |
| 1.7.40 | 6 / 1 | |
| 1.7.39 | 6 / 1 | |
| 1.7.38 | 6 / 1 | |
| 1.7.37 | 6 / 1 | |
| 1.7.36 | 6 / 1 | |
| 1.7.35 | 6 / 1 |
v1.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.47
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.46
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.44
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.43
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.41
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.40
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.39
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.38
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cycleccc.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.36
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.35
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.