authhero
Authhero is an open-source authentication library designed as a drop-in replacement for Auth0. It provides a fully functional auth server that you can set up in minutes.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:liquidjs | AI (phantom-deps): liquidjs is a declared runtime dep used via config/template rendering; phantom-dep heuristic fires because it's not directly imported at the top level. | ai | |
| source-diff | net-exec-file:dist/types/types/AuthHeroConfig.d.ts | AI (source-diff): TypeScript declaration file only; no executable code, no network calls — false positive from type names like CodeExecutor and Handler. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-FUW5zvoZ.js | AI (source-diff): Stencil.js runtime core bundle; minified output from @authhero/widget build, not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-f0f9eca3.entry.js | AI (source-diff): Stencil.js widget bundle (color utilities); minified output from @authhero/widget build, not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-aa120307.entry.js | AI (source-diff): Stencil.js widget bundle (country dial-code list); minified output from @authhero/widget build, not malicious. | ai | |
| phantom-deps | phantom-dep:libphonenumber-js | AI (phantom-deps): Declared runtime dep used indirectly via config; stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-11674140.entry.js | AI (source-diff): Minified Stencil widget bundle; color utility code is clearly benign build output. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-975a907f.entry.js | AI (source-diff): Minified Stencil widget build artifact; expected output of build:client pipeline. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-88f80b3e.entry.js | AI (source-diff): Minified Stencil widget build artifact; expected output of build:client pipeline. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): liquidjs is a well-known templating library; addition aligns with build:emails script. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-f63fd386.entry.js | AI (source-diff): Standard Vite/Stencil minified widget bundle; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-53f4e14a.entry.js | AI (source-diff): Standard Vite/Stencil minified widget bundle; content is readable color-utility JS, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-f56bfac1.entry.js | AI (source-diff): Stencil widget entry with color utility functions; minified build artifact, not malicious. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-e91b632f.entry.js | AI (source-diff): Stencil widget entry file with country dial code data; minified but not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-5428e2e1.entry.js | AI (source-diff): Standard Vite/Stencil minified widget bundle; content is readable color-utility JS, not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-8514f73f.entry.js | AI (source-diff): Minified Stencil widget bundle; country dial-code data is benign build output. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-b9ae0275.entry.js | AI (source-diff): Minified Stencil widget bundle; color-utility and theming code is benign build output. | ai | |
| source-diff | obfuscated-file:dist/assets/u/widget/p-BFP_5sHV.js | AI (source-diff): Minified Stencil runtime/vendor bundle; standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/client.js | AI (source-diff): Standard minified build output from vite client build; content is readable Hono/JSX framework code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/assets/u/js/client.js | AI (source-diff): Standard minified build output from vite client build; content is readable Hono/JSX framework code, not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:check-password-strength | AI (phantom-deps): Declared runtime dep bundled into dist; phantom-dep heuristic is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@authhero/adapter-interfaces | AI (phantom-deps): Declared runtime dep bundled into dist; phantom-dep heuristic is a stable false positive for this package. | ai | |
| source-diff | encoded-string-file:dist/authhero.mjs | AI (source-diff): Same base64 htmlDecodeTree pattern in ESM bundle; stable false positive for this package. | ai | |
| source-diff | encoded-string-file:dist/authhero.cjs | AI (source-diff): Long string is a base64-encoded HTML entity decode tree bundled from entities library — not a malicious payload. | ai | |
| phantom-deps | phantom-dep:sanitize-html | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:country-list | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:bcryptjs | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:i18next | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:xstate | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:qrcode | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:nanoid | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:cookie | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:oslo | AI (phantom-deps): Bundled library; deps resolved at build time, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:arctic | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:@simplewebauthn/server | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:@peculiar/x509 | AI (phantom-deps): Bundled library; deps resolved at build time. | ai | |
| phantom-deps | phantom-dep:@authhero/saml | AI (phantom-deps): Bundled library; deps resolved at build time. | ai |
Versions (showing 51 of 167)
| Version | Deps | Published |
|---|---|---|
| 5.17.1 | 18 / 34 | |
| 5.17.0 | 18 / 34 | |
| 5.16.0 | 18 / 34 | |
| 5.15.0 | 18 / 34 | |
| 5.14.1 | 18 / 34 | |
| 5.14.0 | 18 / 34 | |
| 5.13.1 | 18 / 34 | |
| 5.13.0 | 18 / 34 | |
| 5.12.0 | 18 / 34 | |
| 5.11.0 | 17 / 34 | |
| 5.10.0 | 17 / 34 | |
| 5.9.1 | 17 / 34 | |
| 5.9.0 | 17 / 34 | |
| 5.8.1 | 17 / 34 | |
| 5.8.0 | 17 / 34 | |
| 5.7.0 | 17 / 34 | |
| 5.6.0 | 17 / 34 | |
| 5.5.0 | 17 / 34 | |
| 5.4.1 | 17 / 34 | |
| 5.4.0 | 17 / 34 | |
| 5.3.1 | 17 / 34 | |
| 5.3.0 | 17 / 34 | |
| 5.2.0 | 17 / 34 | |
| 5.1.1 | 17 / 34 | |
| 5.1.0 | 17 / 34 | |
| 5.0.0 | 17 / 34 | |
| 4.120.0 | 17 / 34 | |
| 4.119.0 | 17 / 34 | |
| 4.118.0 | 17 / 34 | |
| 4.117.0 | 17 / 34 | |
| 4.116.0 | 17 / 34 | |
| 4.115.0 | 17 / 34 | |
| 4.114.0 | 17 / 34 | |
| 4.113.0 | 16 / 31 | |
| 4.112.0 | 16 / 31 | |
| 4.111.0 | 16 / 31 | |
| 4.110.0 | 16 / 31 | |
| 4.109.0 | 16 / 31 | |
| 4.108.0 | 16 / 30 | |
| 4.107.0 | 16 / 30 | |
| 4.106.1 | 16 / 30 | |
| 4.106.0 | 16 / 30 | |
| 4.105.0 | 16 / 30 | |
| 4.104.0 | 16 / 30 | |
| 4.103.2 | 16 / 30 | |
| 4.103.1 | 16 / 30 | |
| 4.103.0 | 16 / 30 | |
| 4.102.0 | 16 / 30 | |
| 4.101.1 | 16 / 30 | |
| 4.101.0 | 16 / 30 | |
| 4.100.0 | 16 / 30 |
v5.17.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.14.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.14.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.13.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.13.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.12.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.11.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.10.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.9.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.9.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.120.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.119.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.118.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.117.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.116.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.115.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.114.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.113.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.112.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.111.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.110.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.109.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.108.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.107.0
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.106.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.105.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.104.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.103.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.103.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.103.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.102.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.101.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.101.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.100.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.