@-xun/symbiote
The scripts and assets powering Xunnamius's NPM-based projects
4
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
xunnamius
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:babel-plugin-explicit-exports-references | AI (phantom-deps): Babel plugin loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:sort-package-json | AI (phantom-deps): CLI tool invoked via scripts, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-frontmatter | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-tight-comments | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-validate-links | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-sort-definitions | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-capitalize-headings | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-renumber-references | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-remove-unused-definitions | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-remove-url-trailing-slash | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-lint-fenced-code-flag-case | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-rewrite-imports | AI (phantom-deps): Babel plugin loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:dotenv-cli | AI (phantom-deps): CLI tool referenced in config/scripts, not imported directly; expected pattern for this dev toolchain. | ai | |
| phantom-deps | phantom-dep:remark-gfm | AI (phantom-deps): Remark plugin loaded via config files, not direct import; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:jest-circus | AI (phantom-deps): Jest runner loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-lint | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:rejoinder-cli | AI (phantom-deps): CLI tool used via config/scripts, not direct import. | ai | |
| phantom-deps | phantom-dep:remark-ignore | AI (phantom-deps): Remark plugin loaded via config, not direct import. | ai | |
| phantom-deps | phantom-dep:all-contributors-cli | AI (phantom-deps): CLI tool invoked via scripts, not direct import. | ai | |
| phantom-deps | phantom-dep:npm-check-updates | AI (phantom-deps): CLI tool invoked via scripts, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): Framework-scoped, loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:typedoc | AI (phantom-deps): Config-referenced dev tool; stable false positive. | ai | |
| phantom-deps | phantom-dep:husky | AI (phantom-deps): CLI tooling package; husky referenced in config files by convention, not imported directly. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript used as a build tool via config, not directly imported. | ai | |
| phantom-deps | phantom-dep:babel-jest | AI (phantom-deps): babel-jest loaded by jest config convention, not directly imported. | ai | |
| phantom-deps | phantom-dep:doctoc | AI (phantom-deps): CLI tool referenced in scripts/config, not directly imported. | ai | |
| phantom-deps | phantom-dep:lint-staged | AI (phantom-deps): lint-staged referenced in husky hooks/config, not directly imported. | ai | |
| provenance | no-provenance | AI (provenance): Established package with 183 versions; lack of provenance is common and not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:remark-cli | AI (phantom-deps): remark-cli is a CLI tool invoked by config, not imported directly. | ai | |
| bogus-package | bogus-package | AI (bogus-package): README link dump signal is a false positive for a build toolchain package with a proper GitHub repo. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are clipboardy platform fallbacks (xsel/clipboard exe); well-known clipboard utility, stable for this package. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 4.15.10 | 138 / 5 | |
| 4.15.9 | 138 / 5 | |
| 4.15.8 | 138 / 5 | |
| 4.15.7 | 138 / 5 |
v4.15.10
2 findings
HIGH
Bundled binary files (3)
npm-metadata
Package contains compiled binaries that could be backdoors: • node_modules/clipboardy/fallbacks/linux/xsel • node_modules/clipboardy/fallbacks/windows/clipboard_i686.exe • node_modules/clipboardy/fallbacks/windows/clipboard_x86_64.exe
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.9
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.8
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.15.7
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.