tscircuit — Greenflagged

Make electronics using Typescript, React, and AI tools.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

seveibar

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase reflects bundling of many deps into browser/webworker minified artifacts; expected for this package's architecture.	ai	2026/06/02
source-diff	net-exec-file:dist/webworker.min.js	AI (source-diff): Legitimate webworker bundle for tscircuit eval; consistent with documented build scripts and package structure.	ai	2026/06/02
source-diff	net-exec-file:dist/browser.min.js	AI (source-diff): Legitimate browser bundle exported via package.json exports map; code samples show React/module boilerplate, not malware.	ai	2026/06/02
phantom-deps	phantom-dep:@tscircuit/krt-wasm	AI (phantom-deps): Platform-specific binary package; legitimate implicit dependency for this monorepo.	ai	2026/06/01
source-diff	encoded-string-file:dist/webworker.min.js	AI (source-diff): Long string is SVG/CSS chart rendering code in a minified webworker bundle, not an obfuscated payload.	ai	2026/05/30
dependencies	unvetted-dep:@tscircuit/solver-utils	AI (dependencies): tscircuit first-party package; stable pattern across versions.	ai	2026/04/28
phantom-deps	phantom-dep:@rollup/plugin-commonjs	AI (phantom-deps): Build tooling; framework-scoped, loaded by convention.	ai	2026/04/28
phantom-deps	phantom-dep:@rollup/plugin-node-resolve	AI (phantom-deps): Build tooling; framework-scoped, loaded by convention.	ai	2026/04/28
phantom-deps	phantom-dep:@rollup/plugin-typescript	AI (phantom-deps): Build tooling; framework-scoped, loaded by convention.	ai	2026/04/28
phantom-deps	phantom-dep:@rollup/plugin-json	AI (phantom-deps): Build tooling; framework-scoped, loaded by convention.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/alphabet	AI (phantom-deps): Newly added tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:format-si-unit	AI (phantom-deps): Utility dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:debug	AI (phantom-deps): Stable false positive; debug is a transitive runtime dep in this large meta-package.	ai	2026/04/28
phantom-deps	phantom-dep:tslib	AI (phantom-deps): Known implicit TypeScript runtime dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:rollup	AI (phantom-deps): Build tool referenced in config; stable false positive for this package.	ai	2026/04/28
phantom-deps	phantom-dep:comlink	AI (phantom-deps): Used in web worker build; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:sucrase	AI (phantom-deps): Build-time dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:flatbush	AI (phantom-deps): Transitive spatial indexing dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): Peer/bundled dep for browser build; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:css-select	AI (phantom-deps): Transitive dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:performance-now	AI (phantom-deps): Polyfill dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:calculate-packing	AI (phantom-deps): Geometry dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:rollup-plugin-dts	AI (phantom-deps): Build tool; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:svg-path-commander	AI (phantom-deps): SVG utility dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:transformation-matrix	AI (phantom-deps): Math utility dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/runframe	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/soup-util	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/math-utils	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/checks	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/circuit-json-util	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:@tscircuit/infgrid-ijump-astar	AI (phantom-deps): tscircuit ecosystem dep; stable false positive.	ai	2026/04/28
dependencies	unvetted-dep:minicssgrid	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:bpc-graph	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:poppygl	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:kicadts	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:s-expression	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:jscad-planner	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:circuit-to-svg	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:graphics-debug	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:@resvg/resvg-js	AI (dependencies): Well-known SVG rendering library; stable for this package.	ai	2026/04/28
dependencies	unvetted-dep:calculate-elbow	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:@tscircuit/alphabet	AI (dependencies): tscircuit first-party dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:@tscircuit/miniflex	AI (dependencies): tscircuit first-party dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:circuit-json-to-bpc	AI (dependencies): tscircuit ecosystem dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:@tscircuit/matchpack	AI (dependencies): tscircuit first-party dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:circuit-json-to-gltf	AI (dependencies): tscircuit ecosystem dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:circuit-json-to-spice	AI (dependencies): tscircuit ecosystem dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:kicad-to-circuit-json	AI (dependencies): tscircuit ecosystem dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:spicey	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
dependencies	unvetted-dep:@tscircuit/footprinter	AI (dependencies): tscircuit first-party dep; stable.	ai	2026/04/28
dependencies	unvetted-dep:connectivity-map	AI (dependencies): tscircuit ecosystem dep; stable pattern across versions.	ai	2026/04/28
source-diff	encoded-string-file:dist/browser.min.js	AI (source-diff): tscircuit ships a minified browser bundle; long strings in dist/browser.min.js are CSS-in-JS and UI code, not malicious payloads. This is stable for this package.	ai	2026/04/26
publish-pattern	new-deps-added	AI (publish-pattern): svg-path-commander is a legitimate SVG utility; @tscircuit/alphabet is a first-party tscircuit package. Both additions are benign for this EDA library.	ai	2026/04/26
phantom-deps	phantom-dep:circuit-json	AI (phantom-deps): Bundled meta-package pattern; all @tscircuit ecosystem deps are expected to appear as phantom deps in this umbrella package.	ai	2026/04/26
phantom-deps	phantom-dep:react	AI (phantom-deps): Bundled meta-package pattern; react is a legitimate peer/bundled dependency for this EDA toolkit.	ai	2026/04/26
phantom-deps	phantom-dep:zod	AI (phantom-deps): tscircuit is a bundled meta-package; phantom deps are expected false positives from the tsup build pattern where deps are bundled rather than directly imported.	ai	2026/04/26
phantom-deps	phantom-dep:@tscircuit/footprinter	AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit scoped dependency.	ai	2026/04/26
phantom-deps	phantom-dep:schematic-symbols	AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit ecosystem dependency.	ai	2026/04/26
phantom-deps	phantom-dep:@tscircuit/capacity-autorouter	AI (phantom-deps): Bundled meta-package pattern; legitimate tscircuit scoped dependency.	ai	2026/04/26
provenance	no-provenance	AI (provenance): tscircuit is a well-established package (1302 days, 2774 versions); lack of Sigstore provenance is not a security concern for this package.	ai	2026/04/25

Versions (showing 51 of 107)

View all versions

Version	Deps	Published
0.0.1797	70 / 4	2026-06-02
0.0.1792	69 / 4	2026-05-29
0.0.1775	69 / 4	2026-05-22
0.0.1737	69 / 4	2026-05-07
0.0.1736	69 / 4	2026-05-07
0.0.1708	67 / 4	2026-04-30
0.0.1700	66 / 4	2026-04-29
0.0.1695	66 / 4	2026-04-29
0.0.1692	66 / 4	2026-04-29
0.0.1672	66 / 4	2026-04-25
0.0.1634	66 / 4	2026-04-16
0.0.1586	65 / 4	2026-03-29
0.0.1567	66 / 4	2026-03-25
0.0.1565	66 / 4	2026-03-25
0.0.1564	66 / 4	2026-03-25
0.0.1560	66 / 4	2026-03-24
0.0.1554	66 / 4	2026-03-23
0.0.1552	66 / 4	2026-03-23
0.0.1532	66 / 4	2026-03-18
0.0.1443	66 / 4	2026-03-06
0.0.1436	66 / 4	2026-03-05
0.0.1434	65 / 4	2026-03-05
0.0.1431	65 / 4	2026-03-04
0.0.1398	65 / 4	2026-03-02
0.0.1392	65 / 4	2026-02-28
0.0.1384	65 / 4	2026-02-27
0.0.1293	65 / 4	2026-02-12
0.0.1246	64 / 4	2026-01-30
0.0.1211	63 / 4	2026-01-26
0.0.1101	63 / 4	2026-01-01
0.0.1084	62 / 4	2025-12-21
0.0.1082	62 / 4	2025-12-21
0.0.1064	62 / 4	2025-12-18
0.0.1029	62 / 4	2025-12-10
0.0.1009	62 / 4	2025-12-03
0.0.1006	62 / 4	2025-12-02
0.0.944	61 / 4	2025-11-25
0.0.943	61 / 4	2025-11-25
0.0.941	61 / 4	2025-11-24
0.0.940	61 / 4	2025-11-24
0.0.919	61 / 4	2025-11-20
0.0.822	51 / 4	2025-10-28
0.0.821	51 / 4	2025-10-28
0.0.820	51 / 4	2025-10-28
0.0.819	51 / 4	2025-10-27
0.0.755	49 / 4	2025-10-15
0.0.527	19 / 4	2025-07-10
0.0.526	19 / 4	2025-07-10
0.0.525	19 / 4	2025-07-09
0.0.524	19 / 4	2025-07-09
0.0.523	19 / 4	2025-07-09

v0.0.1797

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1792

2 findings

HIGH Long encoded string in modified file: dist/webworker.min.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1775

2 findings

HIGH Long encoded string in modified file: dist/webworker.min.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1737

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1736

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1708

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1672

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1634

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1586

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1567

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1565

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1564

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1560

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1554

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1552

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1532

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1443

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1436

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1434

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1431

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1398

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1392

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1384

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1293

2 findings

HIGH Long encoded string in modified file: dist/browser.min.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1246

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1211

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1101

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1084

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1082

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1064

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1029

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1009

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1006

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.944

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.943

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.941

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.940

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.919

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.822

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.821

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.820

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.819

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.755

3 findings

HIGH New file with network + code execution: dist/browser.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/webworker.min.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.527

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.526

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.525

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.524

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.523

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.