sass-embedded
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/lib/src/vendor/embedded_sass_pb.js | AI (source-diff): Protobuf-generated file; long encoded strings are inherent to the codegen output. | ai | |
| dependencies | unvetted-dep:buffer-builder | AI (dependencies): buffer-builder is a legitimate binary buffer utility appropriate for the Embedded Sass protocol communication layer; stable dependency for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): nex3 (Natalie Weizenbaum) is the lead Sass developer; templated package names reflect the legitimate platform-specific sass-embedded family. False positive for this package. | ai | |
| dependencies | unvetted-dep:sync-child-process | AI (dependencies): sync-child-process is a core architectural dependency for spawning the embedded Dart Sass compiler synchronously; its use is documented and expected for this package. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 1.100.0 | 7 / 26 | |
| 1.99.0 | 7 / 26 | |
| 1.98.0 | 7 / 26 | |
| 1.97.3 | 7 / 26 | |
| 1.97.2 | 8 / 24 | |
| 1.97.1 | 8 / 24 | |
| 1.97.0 | 8 / 24 | |
| 1.96.0 | 8 / 24 | |
| 1.95.1 | 8 / 24 | |
| 1.93.3 | 8 / 24 | |
| 1.93.2 | 8 / 24 | |
| 1.93.1 | 8 / 24 | |
| 1.93.0 | 8 / 24 | |
| 1.92.1 | 8 / 24 | |
| 1.92.0 | 8 / 24 | |
| 1.91.0 | 8 / 24 | |
| 1.90.0 | 8 / 24 | |
| 1.89.2 | 8 / 24 | |
| 1.89.1 | 8 / 24 | |
| 1.89.0 | 8 / 24 | |
| 1.88.0 | 8 / 24 |
v1.100.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.99.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.96.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.95.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.93.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.93.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.93.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.93.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.91.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.88.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.