@wg-npm/survey-creator
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): No provenance across 715 versions; consistent pattern for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped internal package; missing description is a stable characteristic, not a malware signal. | ai | |
| dependencies | unvetted-dep:quill | AI (dependencies): quill is a well-known open-source rich-text editor; stable legitimate dependency for this package. | ai | |
| phantom-deps | phantom-dep:quill | AI (phantom-deps): quill is a runtime dep referenced in config/rollup; phantom-dep heuristic is a false positive here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped internal package (@wg-npm); missing public metadata is expected for private/internal tooling. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 1.78.4161800 | 1 / 43 | |
| 1.78.4151600 | 1 / 43 | |
| 1.78.3091408 | 1 / 43 | |
| 1.78.3051745 | 1 / 43 | |
| 1.78.511954 | 1 / 43 | |
| 1.78.511948 | 1 / 43 | |
| 1.78.511947 | 1 / 43 | |
| 1.78.511944 | 1 / 43 | |
| 1.78.511943 | 1 / 43 | |
| 1.78.511940 | 1 / 43 | |
| 1.78.511910 | 1 / 43 | |
| 1.78.511900 | 1 / 43 | |
| 1.78.511800 | 1 / 43 | |
| 1.78.222395 | 1 / 43 | |
| 1.77.2251800 | 1 / 43 | |
| 1.77.2131100 | 1 / 43 | |
| 1.77.2101756 | 1 / 43 | |
| 1.77.2101755 | 1 / 43 | |
| 1.77.1131715 | 1 / 43 | |
| 1.77.113395 | 1 / 43 | |
| 1.77.112274 | 1 / 43 | |
| 1.77.102768 | 1 / 43 | |
| 1.77.98172 | 1 / 43 | |
| 1.77.96442 | 1 / 43 | |
| 0.5.740 | 1 / 43 |
v1.78.4161800
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.4151600
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.78.3091408
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.78.3051745
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.78.511954
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.78.511948
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.511947
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.511944
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.78.511940
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.511910
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.511900
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.511800
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.78.222395
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.2251800
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.2131100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.77.2101756
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.2101755
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.1131715
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.113395
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.112274
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.102768
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.98172
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.77.96442
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.740
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.