← Home

@casual-simulation/aux-common

npm Repository Homepage

Common library for AUX projects

11
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kallyngowdyyeticasualsimulation

Keywords

auxso4realtimecrdt

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): Dep swap from @casual-simulation/three to canonical three; benign normalization for this established package. ai
dependencies unvetted-dep:@casual-simulation/crypto AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/expect AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/timesync AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/engine262 AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/stacktrace AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/three AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/error-stack-parser AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@casual-simulation/fast-json-stable-stringify AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
dependencies unvetted-dep:@types/estraverse AI (dependencies): Type definitions package; no runtime risk, stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/three AI (phantom-deps): Same-org monorepo dep; phantom detection is a stable false positive here. ai
dependencies unvetted-dep:@casual-simulation/js-interpreter AI (dependencies): First-party monorepo dependency; stable pattern across all versions of this package. ai
phantom-deps phantom-dep:@casual-simulation/engine262 AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/stacktrace AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai
phantom-deps phantom-dep:htm AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/error-stack-parser AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/fast-json-stable-stringify AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai
phantom-deps phantom-dep:@opentelemetry/semantic-conventions AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:three AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:expect AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:preact AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:astring AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:lru-cache AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:estraverse AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:@types/uuid AI (phantom-deps): Framework-scoped type package; stable false positive for this package. ai
phantom-deps phantom-dep:@types/estraverse AI (phantom-deps): Framework-scoped type package; stable false positive for this package. ai
phantom-deps phantom-dep:@opentelemetry/resources AI (phantom-deps): Config-file reference only; stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/crypto AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai
phantom-deps phantom-dep:@casual-simulation/expect AI (phantom-deps): Same-org sibling dep; stable false positive for this package. ai

Versions (showing 11 of 11)

Version Deps Published
4.2.3 30 / 2
4.2.2 30 / 2
4.1.4 30 / 2
4.1.1 30 / 2
4.1.0 30 / 2
4.0.5 30 / 2
4.0.1 30 / 2
4.0.0 30 / 2
3.10.4 30 / 2
3.10.2 30 / 2
3.8.1 30 / 2

v4.2.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.