@module-federation/node
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA provenance; consistent with monorepo CI/CD automation for this org. | ai | |
| source-diff | net-exec-file:dist/src/utils/flush-chunks.mjs | AI (source-diff): Core MF federation state introspection; new Function used to access globalThis, not arbitrary remote code execution. | ai | |
| source-diff | net-exec-file:dist/src/utils/hot-reload.mjs | AI (source-diff): HMR utility using eval('require') as webpack compat fallback; expected pattern for this package. | ai | |
| source-diff | net-exec-file:dist/src/filesystem/stratagies.mjs | AI (source-diff): Legitimate chunk-loading strategies (vm.runInThisContext for local files, fetch for remote chunks) — core MF Node functionality. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): Scoped package @module-federation/node is not a typosquat of zod; Levenshtein match is a false positive. | ai | |
| phantom-deps | phantom-dep:encoding | AI (phantom-deps): encoding is a declared runtime dep used transitively by node-fetch; stable false positive for this package. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 2.7.43 | 6 / 0 | |
| 2.7.42 | 6 / 0 | |
| 2.7.41 | 6 / 0 | |
| 2.7.40 | 6 / 0 | |
| 2.7.39 | 6 / 0 | |
| 2.7.38 | 7 / 0 | |
| 2.7.37 | 7 / 0 | |
| 2.7.36 | 7 / 0 | |
| 2.7.35 | 7 / 0 | |
| 2.7.34 | 6 / 0 | |
| 2.7.33 | 6 / 0 | |
| 2.7.32 | 6 / 0 | |
| 2.7.31 | 6 / 0 | |
| 2.7.30 | 6 / 0 | |
| 2.7.29 | 6 / 0 | |
| 2.7.28 | 6 / 0 | |
| 2.7.27 | 6 / 0 | |
| 2.7.26 | 6 / 0 | |
| 2.7.25 | 6 / 0 | |
| 2.7.24 | 6 / 0 | |
| 2.7.23 | 6 / 0 | |
| 2.7.22 | 6 / 0 | |
| 2.7.21 | 6 / 0 | |
| 2.7.20 | 6 / 0 | |
| 2.7.19 | 6 / 0 | |
| 2.7.18 | 6 / 0 | |
| 2.7.17 | 6 / 0 | |
| 2.7.16 | 6 / 0 | |
| 2.7.15 | 6 / 0 | |
| 2.7.14 | 6 / 0 | |
| 2.7.13 | 6 / 0 | |
| 2.7.12 | 6 / 0 | |
| 2.7.11 | 6 / 0 | |
| 2.7.10 | 6 / 0 | |
| 2.7.9 | 6 / 0 | |
| 2.7.8 | 6 / 0 | |
| 2.7.7 | 6 / 0 | |
| 2.7.6 | 6 / 0 | |
| 2.7.5 | 6 / 0 | |
| 2.7.4 | 6 / 0 | |
| 2.7.3 | 6 / 0 | |
| 2.7.2 | 6 / 0 |
v2.7.43
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.42
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.41
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.40
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.39
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.38
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.37
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.36
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.35
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.34
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.33
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.21
2 findingsThis version was published by a different npm account than previous versions on 2025-10-28. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.20
2 findingsThis version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.19
2 findingsThis version was published by a different npm account than previous versions on 2025-10-20. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.18
2 findingsThis version was published by a different npm account than previous versions on 2025-10-10. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.17
2 findingsThis version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.16
2 findingsThis version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.