image-js — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

lpatinystropitektargoscheminfo-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Well-established cheminfo ecosystem package; no material changes from prior version; publisher has strong approval track record.	ai	2026/05/26
dependencies	unvetted-dep:ssim.js	AI (dependencies): Image similarity metric library; expected dependency for an image processing package.	ai	2026/05/04
dependencies	unvetted-dep:fast-bmp	AI (dependencies): BMP image format decoder; expected for image-js.	ai	2026/05/04
dependencies	unvetted-dep:fast-jpeg	AI (dependencies): JPEG decoder; expected for image-js.	ai	2026/05/04
dependencies	unvetted-dep:ml-ransac	AI (dependencies): RANSAC algorithm from ml-js ecosystem; appropriate for image geometry operations.	ai	2026/05/04
dependencies	unvetted-dep:uint8-base64	AI (dependencies): Utility for base64 encoding of binary data; appropriate for image-js.	ai	2026/05/04
dependencies	unvetted-dep:ml-convolution	AI (dependencies): Convolution math from ml-js; expected for image filtering operations.	ai	2026/05/04
dependencies	unvetted-dep:bresenham-zingl	AI (dependencies): Line drawing algorithm; expected for image drawing operations.	ai	2026/05/04
dependencies	unvetted-dep:tiff	AI (dependencies): Domain-appropriate TIFF decoder from the same cheminfo ecosystem; stable dependency for this image library.	ai	2026/05/04
dependencies	unvetted-dep:median-quickselect	AI (dependencies): Median filter utility; expected for image processing.	ai	2026/05/04
dependencies	unvetted-dep:ml-affine-transform	AI (dependencies): Affine transform from ml-js; expected for image geometry operations.	ai	2026/05/04
dependencies	unvetted-dep:ml-spectra-processing	AI (dependencies): Spectra processing from cheminfo ecosystem; appropriate for scientific image analysis.	ai	2026/05/04
dependencies	unvetted-dep:ml-regression-polynomial-2d	AI (dependencies): 2D polynomial regression from ml-js; appropriate for image calibration.	ai	2026/05/04
dependencies	unvetted-dep:ml-regression-multivariate-linear	AI (dependencies): Multivariate regression from ml-js; appropriate for image analysis.	ai	2026/05/04
provenance	no-provenance	AI (provenance): Established package predating Sigstore provenance; absence is expected for this age.	ai	2026/05/04
dependencies	unvetted-dep:js-priority-queue	AI (dependencies): Data structure utility; appropriate for image processing algorithms.	ai	2026/05/04

Versions (showing 2 of 2)

Version	Deps	Published
1.6.1	21 / 36	2026-05-20
1.6.0	21 / 36	2026-04-30

v1.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.