@wix/astro
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:build/dependencies/astro-auth/backend-runtime/schemas-DPAYnib_.mjs | AI (source-diff): File is a bundled zod v4 schema library, not malware. Sample clearly shows zod core constructor code. | ai | |
| dependencies | unvetted-dep:@wix/astro-payment-links | AI (dependencies): First-party @wix scoped sub-package; part of the same Wix Astro ecosystem. | ai | |
| dependencies | unvetted-dep:@wix/astro-viewer-api | AI (dependencies): First-party @wix scoped sub-package; part of the same Wix Astro ecosystem. | ai | |
| dependencies | unvetted-dep:@wix/astro-robots | AI (dependencies): First-party @wix scoped sub-package; part of the same Wix Astro ecosystem. | ai | |
| source-diff | encoded-string-file:build/integration/index.mjs | AI (source-diff): Base64-encoded WASM binary for a CSS/JS parser (acorn/es-module-lexer pattern); benign build artifact. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Internal Wix team rotation; publisher is wix-ci-publisher with strong track record. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Internal Wix team rotation; consistent with org-level CI publishing pattern. | ai | |
| source-diff | net-exec-file:build/dependencies/astro-auth/backend-runtime/schemas-CyWC6xeg.mjs | AI (source-diff): Bundled zod v4 + WebAssembly parser; no actual network calls or dropper behavior — standard build artifact for this package. | ai | |
| dependencies | unvetted-dep:@wix/auth-management | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/multilingual-manager | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/headless-localization-utils | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/headless-site-assets | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/sdk | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/site | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/editor | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/dashboard | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/essentials | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/headless-node | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@wix/headless-site | AI (dependencies): First-party @wix sibling dep; stable pattern for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal Wix monorepo package; missing metadata is expected for org-internal tooling. | ai | |
| phantom-deps | phantom-dep:@wix/sdk-types | AI (phantom-deps): Types-only dependency; not directly imported at runtime by design. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Wix internal package; absent description is consistent across their published packages. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 2.50.0 | 14 / 21 | |
| 2.49.0 | 14 / 21 | |
| 2.48.0 | 14 / 21 | |
| 2.47.0 | 14 / 21 | |
| 2.46.0 | 14 / 21 | |
| 2.45.0 | 13 / 21 | |
| 2.44.0 | 13 / 21 | |
| 2.43.0 | 13 / 21 | |
| 2.42.0 | 13 / 21 | |
| 2.41.0 | 13 / 21 | |
| 2.40.0 | 13 / 21 | |
| 2.39.0 | 13 / 21 | |
| 2.38.0 | 13 / 21 | |
| 2.37.0 | 13 / 21 | |
| 2.31.0 | 13 / 21 | |
| 2.24.0 | 12 / 20 | |
| 2.23.0 | 11 / 19 | |
| 2.21.0 | 11 / 19 | |
| 2.20.0 | 11 / 18 | |
| 2.16.0 | 10 / 16 | |
| 2.12.0 | 10 / 17 | |
| 2.9.0 | 12 / 4 | |
| 2.8.0 | 10 / 4 | |
| 1.0.38 | 0 / 18 | |
| 1.0.37 | 0 / 18 |
v2.50.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.49.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.48.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.47.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.46.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.45.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.44.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.43.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.42.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.41.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.40.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.39.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.38.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.37.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.31.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.23.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.21.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.20.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.16.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.38
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.37
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.