dcmjs — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

swederikandrebotchafeydannyrbsedghiwayfarer3130stevepieperhackermdcornerstonejs-botjamesapettssandrasieevren217brunoalvesdefaria

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:build/dcmjs.es.js	AI (source-diff): Long strings are DICOM dictionary name blobs and bundled JS — legitimate build artifacts for this DICOM library.	ai	2026/05/07
source-diff	encoded-string-file:build/dcmjs.js	AI (source-diff): Same DICOM dictionary blob pattern; stable false positive for this package.	ai	2026/05/07
source-diff	encoded-string-file:build/dcmjs.min.js	AI (source-diff): Minified bundle; long strings are expected in minified DICOM library output.	ai	2026/05/07
phantom-deps	phantom-dep:loglevel	AI (phantom-deps): Legitimate runtime dependency declared in package.json; heuristic false positive.	ai	2026/04/29
phantom-deps	phantom-dep:gl-matrix	AI (phantom-deps): Legitimate runtime dependency declared in package.json; heuristic false positive.	ai	2026/04/29
typosquat	typosquat.levenshtein:dayjs	AI (typosquat): dcmjs is a long-established DICOM library unrelated to dayjs; name similarity is coincidental.	ai	2026/04/29
phantom-deps	phantom-dep:@babel/runtime-corejs3	AI (phantom-deps): Babel runtime dep loaded by convention via Babel plugin; heuristic false positive.	ai	2026/04/29
phantom-deps	phantom-dep:lodash.clonedeep	AI (phantom-deps): Legitimate runtime dependency declared in package.json; heuristic false positive.	ai	2026/04/29
phantom-deps	phantom-dep:adm-zip	AI (phantom-deps): Legitimate runtime dependency declared in package.json; heuristic false positive.	ai	2026/04/29
phantom-deps	phantom-dep:ndarray	AI (phantom-deps): Legitimate runtime dependency declared in package.json; heuristic false positive.	ai	2026/04/29

Versions (showing 7 of 7)

Version	Deps	Published
0.52.0	7 / 24	2026-05-19
0.51.1	7 / 22	2026-05-12
0.51.0	7 / 22	2026-05-11
0.50.3	7 / 22	2026-05-11
0.50.2	7 / 22	2026-05-04
0.50.1	7 / 22	2026-02-17
0.49.4	7 / 22	2026-02-04

v0.52.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.51.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.51.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.50.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.50.2

4 findings

HIGH Long encoded string in modified file: build/dcmjs.es.js source-diff

Modified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/dcmjs.js source-diff

Modified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/dcmjs.min.js source-diff

Modified file contains 12 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.