← Home

@aquera/nile-elements

npm
17
Versions
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ashok.kumar.aqueraraviqauerasandeep-aquera

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Rapidly growing component library; large file additions are consistent with new component additions across versions. ai
publish-pattern new-deps-added AI (publish-pattern): marked added to support new nile-markdown component; well-known, benign markdown parsing library. ai
source-diff encoded-string-file:dist/index.js AI (source-diff): Long strings are minified web component JS (lit directives, icon maps); consistent with a large UI component library bundle. ai
install-scripts install-script:postinstall AI (install-scripts): Runs local postinstall.js; figlet+chalk deps suggest a banner script, not exfiltration. Stable pattern for this package. ai
phantom-deps phantom-dep:element-internals-polyfill AI (phantom-deps): Polyfill loaded via side-effect in config; not directly imported in source files. ai
phantom-deps phantom-dep:@open-wc/form-control AI (phantom-deps): Declared dep used in config/types for web-component form integration; not a direct import by design. ai
phantom-deps phantom-dep:@open-wc/form-helpers AI (phantom-deps): Same rationale as @open-wc/form-control. ai

Versions (showing 17 of 17)

Version Deps Published
1.8.6 20 / 30
1.8.3 19 / 30
1.8.2 19 / 30
1.8.1 19 / 30
1.8.0 19 / 30
1.7.9 19 / 30
1.7.8 19 / 30
1.7.7 19 / 30
1.7.6 19 / 30
1.7.5 19 / 30
1.7.4 19 / 30
1.7.3 19 / 30
1.7.2 19 / 30
1.7.1 18 / 30
1.7.0 18 / 30
1.6.9 18 / 30
1.6.8 18 / 30

v1.8.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.8.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.7

2 findings
HIGH Long encoded string in modified file: dist/index.js source-diff

Modified file contains 602 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.7.6

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.5

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.4

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.3

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.2

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.1

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.9

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.8

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.