@wix/metro-runtime
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): wix-ci-publisher is a well-established Wix CI account (798 approved); publisher change reflects org-wide CI migration, not compromise. | ai | |
| source-diff | encoded-string-file:dist/cjs/proto/index.js | AI (source-diff): Long string is a minified protobuf/JSON schema descriptor, not an obfuscated payload; stable pattern for this package. | ai | |
| source-diff | encoded-string-file:src/proto/index.js | AI (source-diff): Long strings are protobuf schema JSON data, not encoded payloads. | ai | |
| source-diff | obfuscated-file:es/build/proto/index.js | AI (source-diff): Same minified protobuf schema bundle (ES module variant); not obfuscated malware. | ai | |
| source-diff | obfuscated-file:cjs/build/proto/index.js | AI (source-diff): Minified protobuf schema bundle generated by Wix proto toolchain; not obfuscated malware. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Private internal Wix package; missing metadata is expected for scoped internal packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Private internal package; no public description needed. | ai |
Versions (showing 51 of 79)
| Version | Deps | Published |
|---|---|---|
| 1.2120.0 | 7 / 15 | |
| 1.2119.0 | 7 / 15 | |
| 1.2118.0 | 7 / 15 | |
| 1.2117.0 | 7 / 15 | |
| 1.2116.0 | 7 / 15 | |
| 1.2115.0 | 7 / 15 | |
| 1.2114.0 | 7 / 14 | |
| 1.2113.0 | 7 / 14 | |
| 1.2112.0 | 7 / 14 | |
| 1.2110.0 | 7 / 14 | |
| 1.2109.0 | 7 / 14 | |
| 1.2108.0 | 7 / 14 | |
| 1.2107.0 | 7 / 14 | |
| 1.2106.0 | 7 / 14 | |
| 1.2105.0 | 7 / 14 | |
| 1.2104.0 | 7 / 14 | |
| 1.2103.0 | 7 / 14 | |
| 1.2102.0 | 7 / 14 | |
| 1.2101.0 | 7 / 14 | |
| 1.2100.0 | 7 / 14 | |
| 1.2099.0 | 7 / 14 | |
| 1.2098.0 | 7 / 14 | |
| 1.2097.0 | 7 / 14 | |
| 1.2096.0 | 7 / 14 | |
| 1.2095.0 | 7 / 14 | |
| 1.2094.0 | 7 / 14 | |
| 1.2093.0 | 7 / 14 | |
| 1.2092.0 | 7 / 14 | |
| 1.2091.0 | 7 / 14 | |
| 1.2090.0 | 7 / 14 | |
| 1.2089.0 | 7 / 14 | |
| 1.2088.0 | 7 / 14 | |
| 1.2087.0 | 7 / 14 | |
| 1.2086.0 | 7 / 14 | |
| 1.2085.0 | 7 / 14 | |
| 1.2084.0 | 7 / 14 | |
| 1.2083.0 | 7 / 14 | |
| 1.2082.0 | 7 / 14 | |
| 1.2081.0 | 7 / 14 | |
| 1.2080.0 | 7 / 14 | |
| 1.2079.0 | 7 / 14 | |
| 1.2078.0 | 7 / 14 | |
| 1.2077.0 | 7 / 14 | |
| 1.2076.0 | 7 / 14 | |
| 1.2075.0 | 7 / 14 | |
| 1.2074.0 | 7 / 14 | |
| 1.2073.0 | 7 / 14 | |
| 1.2072.0 | 7 / 14 | |
| 1.2071.0 | 7 / 14 | |
| 1.2070.0 | 7 / 14 | |
| 1.2069.0 | 7 / 14 |
v1.2120.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2119.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2117.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2116.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2115.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2114.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2113.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2112.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2110.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2109.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2108.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2107.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2106.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2105.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2104.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2103.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2102.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2101.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2100.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2099.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2098.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2097.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2096.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2095.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2094.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2093.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2092.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2091.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2090.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2089.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2088.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2087.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2086.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2085.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2084.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2083.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2082.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2081.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2080.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2079.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-23. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2078.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2077.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2076.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2075.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2074.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2073.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-15. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2072.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2071.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2070.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2069.0
2 findingsThis version was published by a different npm account than previous versions on 2025-09-10. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.