@jsenv/core
Tool to develop, test and build js projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode used for data URL parsing — legitimate utility, not obfuscation. | ai | |
| phantom-deps | phantom-dep:react-table | AI (phantom-deps): Referenced in config/test files only; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@financial-times/polyfill-useragent-normaliser | AI (phantom-deps): Referenced in config files only; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jsenv/js-module-fallback | AI (phantom-deps): Same org scope; indirect usage pattern is expected for this monorepo package. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @jsenv/core is a long-established JS build tool, not a typosquat of 'cors'; Levenshtein match is coincidental. | ai |
v41.2.4
2 findingsPackage name '@jsenv/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v40.12.11
2 findingsPackage name '@jsenv/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v40.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.