jssip
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is confined to gulpfile.js (dev build tooling), not runtime library code. | ai | |
| phantom-deps | phantom-dep:@types/debug | AI (phantom-deps): @types/* packages are TypeScript type declarations loaded by convention, not direct imports. | ai | |
| phantom-deps | phantom-dep:@types/events | AI (phantom-deps): @types/* packages are TypeScript type declarations loaded by convention, not direct imports. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 3.13.8 | 3 / 21 | |
| 3.13.7 | 3 / 21 | |
| 3.13.6 | 3 / 21 | |
| 3.13.5 | 3 / 21 | |
| 3.13.4 | 3 / 21 | |
| 3.13.2 | 3 / 21 | |
| 3.13.0 | 3 / 21 | |
| 3.12.0 | 3 / 10 | |
| 3.11.1 | 5 / 5 | |
| 3.11.0 | 5 / 9 | |
| 3.10.10 | 5 / 18 | |
| 3.10.9 | 5 / 18 | |
| 3.10.7 | 5 / 18 | |
| 3.10.6 | 5 / 18 | |
| 3.10.5 | 5 / 18 | |
| 3.10.4 | 5 / 18 | |
| 3.10.3 | 5 / 18 | |
| 3.10.2 | 5 / 18 | |
| 3.10.0 | 5 / 18 |
v3.13.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.