@casual-simulation/aux-runtime

Runtime for AUX projects

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kallyngowdyyeticasualsimulation

Keywords

auxso4realtimecrdt

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@casual-simulation/three	AI (dependencies): First-party org-scoped package; stable pattern across all versions.	ai	2026/05/30
phantom-deps	phantom-dep:expect	AI (phantom-deps): Test utility; phantom-dep heuristic false positive for this package.	ai	2026/05/30
dependencies	unvetted-dep:@types/estraverse	AI (dependencies): Type definitions package; no runtime risk.	ai	2026/05/30
dependencies	unvetted-dep:typesense	AI (dependencies): Well-known search client library; no malware signals.	ai	2026/05/30
dependencies	unvetted-dep:@casual-simulation/stacktrace	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/engine262	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/js-interpreter	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/error-stack-parser	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/fast-json-stable-stringify	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
phantom-deps	phantom-dep:@types/uuid	AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive.	ai	2026/05/18
phantom-deps	phantom-dep:@types/estraverse	AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive.	ai	2026/05/18
phantom-deps	phantom-dep:@types/seedrandom	AI (phantom-deps): @types packages are type-only and not directly imported; stable false positive.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/crypto	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
dependencies	unvetted-dep:@casual-simulation/expect	AI (dependencies): Same-org monorepo dependency; stable false positive for this package.	ai	2026/05/18
phantom-deps	phantom-dep:@casual-simulation/expect	AI (phantom-deps): Same-org dep declared in package.json; phantom-dep is a false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@casual-simulation/stacktrace	AI (phantom-deps): Same-org dep declared in package.json; phantom-dep is a false positive.	ai	2026/04/29
phantom-deps	phantom-dep:lib0	AI (phantom-deps): lib0 is a declared dependency used transitively via yjs; phantom-dep is a false positive here.	ai	2026/04/29
phantom-deps	phantom-dep:acorn-jsx	AI (phantom-deps): acorn-jsx is a declared runtime dep; phantom-dep heuristic misfires for this package.	ai	2026/04/29
phantom-deps	phantom-dep:three	AI (phantom-deps): three is a declared runtime dep; phantom-dep heuristic misfires for this package.	ai	2026/04/29
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() is used in a proxy trap for sandboxed JS runtime — expected pattern for this package.	ai	2026/04/29
phantom-deps	phantom-dep:axios	AI (phantom-deps): axios is a declared runtime dep; phantom-dep heuristic misfires for this package.	ai	2026/04/29

Versions (showing 6 of 6)

Version	Deps	Published
4.2.4	36 / 4	2026-05-16
4.2.3	36 / 4	2026-04-27
4.1.0	36 / 4	2026-02-13
4.0.0	36 / 4	2026-01-27
3.10.4	36 / 4	2026-01-13
3.8.1	36 / 4	2025-11-05

v4.2.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.10.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.8.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.