rdf-validate-shacl
4
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
tpluscodeludovicm67zazuko-bot
Keywords
rdfshaclvalidation
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:rdf-dataset-ext | AI (phantom-deps): rdf-dataset-ext is a legitimate runtime dependency; phantom-dep is a false positive as it may be used indirectly or in config-referenced code paths. | ai | |
| dependencies | unvetted-dep:rdf-literal | AI (dependencies): rdf-literal is a standard RDF.js utility library; expected dependency for an RDF validator. | ai | |
| dependencies | unvetted-dep:@rdfjs/dataset | AI (dependencies): Official RDF.js community dataset implementation; expected dependency for an RDF/SHACL validator. | ai | |
| dependencies | unvetted-dep:@vocabulary/sh | AI (dependencies): SHACL vocabulary namespace package; directly expected for a SHACL validator. | ai | |
| dependencies | unvetted-dep:@rdfjs/term-set | AI (dependencies): Official RDF.js term-set utility; expected dependency for an RDF/SHACL validator. | ai | |
| dependencies | unvetted-dep:clownface | AI (dependencies): clownface is a well-known RDF graph traversal library in the RDF.js ecosystem; expected dependency for an RDF/SHACL validator. | ai | |
| dependencies | unvetted-dep:@rdfjs/data-model | AI (dependencies): Official RDF.js data model implementation; expected dependency for an RDF/SHACL validator. | ai | |
| dependencies | unvetted-dep:@rdfjs/environment | AI (dependencies): Official RDF.js environment package; expected dependency for an RDF/SHACL validator. | ai | |
| dependencies | unvetted-dep:rdf-validate-datatype | AI (dependencies): RDF datatype validation utility; directly expected for a SHACL validator that must validate RDF datatypes. | ai | |
| provenance | no-provenance | AI (provenance): Established package from Zazuko org with public GitHub repo; lack of Sigstore provenance is common and not a disqualifier here. | ai | |
| dependencies | unvetted-dep:@rdfjs/namespace | AI (dependencies): Official RDF.js namespace utility; expected dependency for an RDF/SHACL validator. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.6.5 | 12 / 33 | |
| 0.6.4 | 12 / 33 | |
| 0.6.3 | 12 / 33 | |
| 0.5.8 | 11 / 24 |
v0.6.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.