@panneau/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): react-helmet is a well-known legitimate React library; addition is benign for this established package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is a maintenance preference, not a security defect for established packages. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Established package with stable ecosystem trust; empty description is benign metadata. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dependency; loaded by convention in transpiled packages. | ai | |
| phantom-deps | phantom-dep:tinycolor2 | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:react-helmet | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@folklore/forms | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:hoist-non-react-statics | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@fortawesome/react-fontawesome | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@fortawesome/fontawesome-svg-core | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@fortawesome/free-solid-svg-icons | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:flat | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:bootstrap | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:classnames | AI (phantom-deps): Config-referenced transitive dep; stable pattern for this monorepo package. | ai | |
| dependencies | unvetted-dep:@folklore/tracking | AI (dependencies): First-party dep from same Folklore org as this package. | ai | |
| dependencies | unvetted-dep:@folklore/forms | AI (dependencies): First-party dep from same Folklore org as this package. | ai | |
| dependencies | unvetted-dep:@folklore/fetch | AI (dependencies): First-party dep from same Folklore org as this package. | ai | |
| dependencies | unvetted-dep:@folklore/services | AI (dependencies): First-party dep from same Folklore org as this package. | ai | |
| dependencies | unvetted-dep:@folklore/routes | AI (dependencies): First-party dep from same Folklore org as this package. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @panneau/core in a long-lived monorepo; not a typosquat of cors. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 4.0.55 | 26 / 2 | |
| 4.0.50 | 26 / 2 | |
| 4.0.48 | 26 / 2 | |
| 4.0.38 | 26 / 2 | |
| 4.0.37 | 26 / 2 | |
| 4.0.21 | 26 / 2 | |
| 4.0.18 | 26 / 2 | |
| 4.0.15 | 26 / 2 | |
| 4.0.14 | 26 / 2 | |
| 4.0.11 | 27 / 2 | |
| 4.0.8 | 27 / 2 | |
| 4.0.6 | 27 / 2 | |
| 4.0.4 | 27 / 2 | |
| 4.0.1 | 27 / 2 | |
| 4.0.0 | 28 / 2 | |
| 3.0.319 | 28 / 2 | |
| 3.0.317 | 28 / 2 | |
| 3.0.314 | 28 / 2 | |
| 3.0.307 | 28 / 2 |
v4.0.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.38
2 findingsPackage name '@panneau/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.37
2 findingsPackage name '@panneau/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.319
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (dmongeau) than the most recent previously approved version (phatshambler) on 2025-12-17, but dmongeau is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.0.317
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (dmongeau) than the most recent previously approved version (phatshambler) on 2025-12-16, but dmongeau is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v3.0.314
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.307
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.