@wix/motion-edm-autogen-p13n
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:cjs/build/proto-generated/index.js | AI (source-diff): Minified protobuf-generated code from wix-proto-codegen; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:es/build/proto-generated/index.js | AI (source-diff): Minified protobuf-generated code from wix-proto-codegen; stable pattern for this package. | ai | |
| source-diff | encoded-string-file:dist/cjs/proto-generated/index.js | AI (source-diff): Long strings are protobuf schema JSON embedded inline by wix-proto-codegen; not obfuscated payloads. | ai | |
| source-diff | encoded-string-file:dist/esm/proto-generated/index.js | AI (source-diff): Same pattern as CJS build — protobuf schema JSON, not malicious encoding. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Wix internal autogenerated package; missing description is consistent across the org's tooling packages. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep; loaded by convention in Wix/Yoshi build toolchain. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Wix internal autogenerated package; templated naming, no description/repo are expected patterns for this org's tooling. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 1.0.129 | 4 / 21 | |
| 1.0.128 | 4 / 21 | |
| 1.0.127 | 4 / 20 | |
| 1.0.126 | 4 / 20 | |
| 1.0.125 | 4 / 20 | |
| 1.0.124 | 4 / 20 | |
| 1.0.123 | 4 / 20 | |
| 1.0.122 | 4 / 20 | |
| 1.0.121 | 4 / 20 | |
| 1.0.120 | 4 / 20 | |
| 1.0.119 | 4 / 20 | |
| 1.0.118 | 4 / 20 | |
| 1.0.117 | 4 / 20 | |
| 1.0.116 | 4 / 20 | |
| 1.0.115 | 4 / 20 | |
| 1.0.114 | 4 / 20 | |
| 1.0.113 | 4 / 20 | |
| 1.0.112 | 4 / 20 | |
| 1.0.111 | 4 / 20 | |
| 1.0.110 | 4 / 20 | |
| 1.0.109 | 4 / 20 | |
| 1.0.108 | 4 / 20 |
v1.0.129
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.128
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.127
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.125
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.124
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.123
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.122
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.121
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.120
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.119
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.118
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.117
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.116
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.115
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.114
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.113
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.112
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.111
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.110
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.109
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.108
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.