open-collaboration-yjs
Open Collaboration Yjs integration, part of the Open Collaboration Tools project
8
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
msujewjonah.iden
Keywords
collaborationlive-shareyjs
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): vscode-languageserver-textdocument is a well-known Microsoft VS Code ecosystem package; its addition to a Yjs collaboration integration is contextually appropriate and not suspicious. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer jonah.iden added to an Eclipse org project by a publisher with a clean 16/0 track record; consistent with normal open-source team growth at TypeFox/eclipse-oct. | ai | |
| dependencies | unvetted-dep:vscode-languageserver-textdocument | AI (dependencies): vscode-languageserver-textdocument is a well-known Microsoft/VS Code ecosystem package; its use in a Yjs text collaboration library is expected and benign. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used legitimately to decode binary Yjs protocol messages from the wire; this is a standard pattern in Yjs integrations and not a malicious payload indicator. | ai | |
| dependencies | unvetted-dep:lib0 | AI (dependencies): lib0 is a standard utility library by the Yjs author, widely used across the Yjs ecosystem. Expected dependency for any Yjs integration. | ai | |
| dependencies | unvetted-dep:y-protocols | AI (dependencies): y-protocols is the official Yjs protocol library, a standard dependency for Yjs integrations. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.3.1 | 3 / 0 | |
| 0.3.0 | 4 / 0 | |
| 0.2.0 | 3 / 0 | |
| 0.1.0 | 3 / 0 | |
| 0.0.4 | 3 / 0 | |
| 0.0.3 | 3 / 0 | |
| 0.0.2 | 3 / 0 | |
| 0.0.1 | 4 / 0 |
v0.3.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.