@wix/auto_sdk_bookings_booking-policies
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/es/bookings-v1-booking-policy-booking-policies.universal-DyKOkpmg.d.mts | AI (source-diff): Long-line TypeScript declaration file with JSDoc comments; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/internal/cjs/bookings-v1-booking-policy-booking-policies.universal-DyKOkpmg.d.ts | AI (source-diff): Long-line TypeScript declaration file with JSDoc comments; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/cjs/bookings-v1-booking-policy-booking-policies.universal-DyKOkpmg.d.ts | AI (source-diff): Long-line TypeScript declaration file with JSDoc comments; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/internal/es/bookings-v1-booking-policy-booking-policies.universal-DyKOkpmg.d.mts | AI (source-diff): Long-line TypeScript declaration file with JSDoc comments; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/bookings-v1-booking-policy-booking-policies.universal-BOznK2N1.d.mts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not actual obfuscation. | ai | |
| source-diff | obfuscated-file:build/internal/bookings-v1-booking-policy-booking-policies.universal-BOznK2N1.d.ts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not actual obfuscation. | ai | |
| source-diff | obfuscated-file:build/bookings-v1-booking-policy-booking-policies.universal-BOznK2N1.d.ts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not actual obfuscation. | ai | |
| source-diff | obfuscated-file:build/internal/bookings-v1-booking-policy-booking-policies.universal-BOznK2N1.d.mts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not actual obfuscation. | ai | |
| source-diff | obfuscated-file:build/internal/cjs/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.ts | AI (source-diff): TypeScript declaration file with long JSDoc lines; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/es/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.mts | AI (source-diff): TypeScript declaration file with long lines from JSDoc; not obfuscated code. Pattern is stable for this Wix SDK package. | ai | |
| source-diff | obfuscated-file:build/internal/es/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.mts | AI (source-diff): TypeScript declaration file with long JSDoc lines; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/cjs/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.ts | AI (source-diff): TypeScript declaration file with long JSDoc lines; not obfuscated. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/internal/es/meta.d.mts | AI (source-diff): TypeScript declaration file with long import/export lines; not obfuscated code. Stable pattern for @wix/auto_sdk_* packages. | ai | |
| source-diff | obfuscated-file:build/es/meta.d.mts | AI (source-diff): TypeScript declaration file with long import/export lines; not obfuscated code. Stable pattern for @wix/auto_sdk_* packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): wix-org-headless and dorchaouat are Wix org accounts; consistent with Wix CI migration pattern. | ai | |
| source-diff | obfuscated-file:build/internal/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.mts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.mts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.ts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not obfuscated code. | ai | |
| source-diff | obfuscated-file:build/internal/bookings-v1-booking-policy-booking-policies.universal-Dn-27NDP.d.ts | AI (source-diff): Generated TypeScript declaration file with long lines from type definitions; not obfuscated code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Part of Wix's migration to centralized CI publishing; not indicative of takeover. | ai | |
| source-diff | obfuscated-file:build/internal/es/index.d.mts | AI (source-diff): Same pattern as build/es/index.d.mts — bundled TS declaration file, not malicious. | ai | |
| source-diff | obfuscated-file:build/es/index.d.mts | AI (source-diff): TypeScript declaration file with long export lists; not obfuscation, normal for bundled Wix SDK packages. | ai | |
| source-diff | obfuscated-file:build/es/index.typings.d.mts | AI (source-diff): TypeScript typings declaration file; long lines are from bundled interface definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:build/internal/es/index.typings.d.mts | AI (source-diff): Same pattern as build/es/index.typings.d.mts — bundled TS typings, not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to wix-ci-publisher is Wix's standard CI automation account with 773 approved packages; stable pattern across Wix SDK packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Wix auto-generated SDK package; templated naming, no description/repo are expected for this publisher's pipeline. | ai | |
| provenance | no-provenance | AI (provenance): Wix CI publisher does not attach Sigstore provenance; consistent across all approved versions. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Wix auto-generated SDK packages consistently omit descriptions; stable false positive for this package family. | ai |
Versions (showing 24 of 124)
| Version | Deps | Published |
|---|---|---|
| 1.0.35 | 2 / 2 | |
| 1.0.34 | 2 / 2 | |
| 1.0.33 | 2 / 2 | |
| 1.0.32 | 2 / 2 | |
| 1.0.31 | 2 / 1 | |
| 1.0.30 | 2 / 1 | |
| 1.0.29 | 2 / 1 | |
| 1.0.28 | 2 / 1 | |
| 1.0.27 | 2 / 1 | |
| 1.0.26 | 2 / 1 | |
| 1.0.25 | 2 / 1 | |
| 1.0.24 | 2 / 1 | |
| 1.0.23 | 2 / 1 | |
| 1.0.22 | 2 / 1 | |
| 1.0.21 | 2 / 1 | |
| 1.0.20 | 2 / 1 | |
| 1.0.19 | 2 / 1 | |
| 1.0.18 | 2 / 2 | |
| 1.0.17 | 2 / 2 | |
| 1.0.16 | 2 / 1 | |
| 1.0.15 | 2 / 1 | |
| 1.0.14 | 2 / 1 | |
| 1.0.13 | 2 / 1 | |
| 1.0.12 | 2 / 1 |
v1.0.35
6 findingsThis version was published by a different npm account than previous versions on 2025-06-09. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.34
6 findingsThis version was published by a different npm account than previous versions on 2025-06-05. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.33
6 findingsThis version was published by a different npm account than previous versions on 2025-06-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.32
6 findingsThis version was published by a different npm account than previous versions on 2025-06-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.31
2 findingsThis version was published by a different npm account than previous versions on 2025-05-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.30
2 findingsThis version was published by a different npm account than previous versions on 2025-05-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.29
2 findingsThis version was published by a different npm account than previous versions on 2025-05-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.28
2 findingsThis version was published by a different npm account than previous versions on 2025-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.27
2 findingsThis version was published by a different npm account than previous versions on 2025-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.26
2 findingsThis version was published by a different npm account than previous versions on 2025-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.25
2 findingsThis version was published by a different npm account than previous versions on 2025-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.24
2 findingsThis version was published by a different npm account than previous versions on 2025-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.23
2 findingsThis version was published by a different npm account than previous versions on 2025-05-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.22
2 findingsThis version was published by a different npm account than previous versions on 2025-05-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.21
2 findingsThis version was published by a different npm account than previous versions on 2025-05-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
2 findingsThis version was published by a different npm account than previous versions on 2025-05-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.19
2 findingsThis version was published by a different npm account than previous versions on 2025-05-08. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
6 findingsThis version was published by a different npm account than previous versions on 2025-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
6 findingsThis version was published by a different npm account than previous versions on 2025-05-07. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
2 findingsThis version was published by a different npm account than previous versions on 2025-05-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.15
2 findingsThis version was published by a different npm account than previous versions on 2025-05-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
2 findingsThis version was published by a different npm account than previous versions on 2025-05-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.