← Home

cbor2

npm Repository Homepage
7
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

hildjj

Keywords

coapcborjsonrfc7049rfc8949rfc8742

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
typosquat typosquat.levenshtein:cors AI (typosquat): cbor2 is a well-established CBOR serialization library with no relation to 'cors'. The Levenshtein match is a false positive; different domains entirely. ai
phantom-deps phantom-dep:@cto.af/wtf8 AI (phantom-deps): @cto.af/wtf8 is a legitimate dependency from the author's own org namespace, used for WTF-8 encoding in CBOR string handling. Phantom classification is benign. ai
dependencies unvetted-dep:@cto.af/wtf8 AI (dependencies): @cto.af/wtf8 is from the author's own organization namespace, consistent with the package's purpose. Pinned to a specific version; low risk. ai

Versions (showing 7 of 7)

Version Deps Published
2.3.0 1 / 0
2.2.1 1 / 0
2.2.0 1 / 0
2.1.2 1 / 0
2.1.1 1 / 0
2.0.1 1 / 0
2.0.0 1 / 0

v2.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.