d3-geo-voronoi
Spherical Voronoi Diagram and Delaunay Triangulation
22
Versions
ISC
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mbostockrecifs
Keywords
d3d3-moduled3-geod3-delaunay
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:rollup | AI (phantom-deps): rollup is referenced in build/pretest scripts in package.json; it is a build tool, not a runtime import. Phantom-dep finding is expected and benign. | ai | |
| dependencies | unvetted-dep:rollup | AI (dependencies): rollup is a standard JS bundler used in build scripts for this D3 module; its presence as a dependency is a packaging quirk of this early version, not a security concern. | ai | |
| dependencies | unvetted-dep:d3-voronoi | AI (dependencies): d3-voronoi is a core D3 module; unvetted status is a general ecosystem signal, not a security concern for this package. | ai | |
| dependencies | unvetted-dep:d3 | AI (dependencies): d3 is a core dependency for this D3 module; unvetted status is expected and acceptable. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is in bundled D3 v4 source (dev/d3.v4.js), not original code; used for safe object converter pattern with static column names. | ai | |
| phantom-deps | phantom-dep:d3 | AI (phantom-deps): d3 is a peer dependency for D3 modules; phantom status is expected and referenced in build config. | ai | |
| provenance | missing-githead | AI (provenance): Established D3 package with clean history; missing gitHead reflects a publish environment change, not a security concern for this well-known maintainer. | ai | |
| provenance | no-provenance | AI (provenance): Established D3 ecosystem package by known maintainer; lack of Sigstore provenance is not a meaningful risk signal for this package. | ai |
Versions (showing 22 of 22)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 4 / 5 | |
| 2.0.1 | 4 / 5 | |
| 2.0.0 | 4 / 5 | |
| 1.6.0 | 4 / 4 | |
| 1.5.0 | 4 / 4 | |
| 1.4.1 | 3 / 4 | |
| 1.4.0 | 3 / 4 | |
| 1.3.0 | 3 / 4 | |
| 1.2.1 | 3 / 4 | |
| 1.2.0 | 3 / 4 | |
| 1.1.2 | 3 / 4 | |
| 1.1.1 | 3 / 4 | |
| 1.1.0 | 3 / 4 | |
| 1.0.2 | 3 / 4 | |
| 1.0.1 | 3 / 4 | |
| 1.0.0 | 3 / 4 | |
| 0.0.6 | 4 / 4 | |
| 0.0.5 | 4 / 4 | |
| 0.0.4 | 4 / 4 | |
| 0.0.3 | 4 / 4 | |
| 0.0.2 | 5 / 3 | |
| 0.0.1 | 5 / 3 |
v0.0.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.